science-ation/user_password.php

<?

/*
 * This file is part of the 'Science Fair In A Box' project
 * Science-ation Website: https://science-ation.ca/
 *
 * Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
 * Copyright (C) 2005 James Grant <james@lightbox.org>
 * Copyright (C) 2024 AlgoLibre Inc. <science-ation@algolibre.io>
 * Copyright (C) 2007 David Grant <dave@lightbox.org>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public
 * License as published by the Free Software Foundation, version 2.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; see the file COPYING.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 * Boston, MA 02111-1307, USA.
 */
?>
<?
require_once('common.inc.php');
require_once('user.inc.php');

global $pdo;

$type = false;
if (isset($_SESSION['users_type'])) {
	$type = $_SESSION['users_type'];
} else {
	message_push(error(i18n('You must login to view that page')));
	header("location: {$config['SFIABDIRECTORY']}/index.php");
	exit;
}

/* Make sure the user is logged in, but don't check passwd expiry */
if (!isset($_SESSION['users_type'])) {
	message_push(error(i18n('You must login to view that page')));
	header("location: {$config['SFIABDIRECTORY']}/user_login.php?type=$type");
	exit;
}

if ($_SESSION['users_type'] != $type) {
	message_push(error(i18n('You must login to view that page')));
	header("location: {$config['SFIABDIRECTORY']}/user_login.php?type=$type");
	exit;
}

if (array_key_exists('request_uri', $_SESSION))
	$back_link = $_SESSION['request_uri'];
else
	$back_link = "{$type}_main.php";
unset($_SESSION['request_uri']);

$password_expiry_days = get_value_from_array($config, "{$type}_password_expiry_days");

if (get_value_from_array($_POST, 'action') == 'save') {
	$pass = $_POST['pass1'];
	// first, lets see if they choosed the same password again (bad bad bad)
	$q = $pdo->prepare("SELECT password FROM users WHERE id=?");
	$q->execute([$_SESSION['users_id']]);
	$hash = $q->fetch(PDO::FETCH_ASSOC)['password'];

	if (password_verify($pass, $hash))
		message_push(error(i18n('You cannot choose the same password again.  Please choose a different password')));
	else if (!$_POST['pass1'])
		message_push(error(i18n('New Password is required')));
	else if ($_POST['pass1'] != $_POST['pass2'])
		message_push(error(i18n('Passwords do not match')));
	else if (user_valid_password($_POST['pass1']) == false)
		message_push(error(i18n('The password contains invalid characters or is not long enough')));
	else {
		user_set_password($_SESSION['users_id'], $pass);
		unset($_SESSION['password_expired']);

		message_push(happy(i18n('Your password has been successfully updated')));
		header("location: $back_link");
		exit;
	}
}

send_header(
	"{$user_what[$type]} - Change Password",
	array("{$user_what[$type]} Registration" => "{$type}_main.php"),
	'change_password'
);

if (get_value_from_array($_SESSION, 'password_expired') == true) {
	echo i18n('Your password has expired.  You must choose a new password now.');
}

echo "<form name=\"changepassform\" method=\"post\" action=\"user_password.php\">\n";
echo "<input type=\"hidden\" name=\"action\" value=\"save\" />\n";
echo "<table>\n";

echo '<br />';
echo '<table>';
echo '<tr><td>';
echo i18n('Enter New Password:');
echo '</td><td>';
echo '<input type="password" size="10" name="pass1">';
echo '</td></tr>';
echo '<tr><td>';
echo i18n('Confirm New Password:');
echo '</td><td>';
echo '<input type="password" size="10" name="pass2">';
echo '</td></tr>';

echo '</table>';
echo '<input type="submit" value="' . i18n('Change Password') . "\" />\n";
echo '</form>';
echo '<br />';
echo '<div style="font-size: 0.75em;">' . i18n('Passwords must be be between 6 and 32 characters, and may NOT contain any quote or a backslash.') . '</div>';

send_footer();
?>
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00			`<?`

Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`/*`
			`* This file is part of the 'Science Fair In A Box' project`
format code 2025-02-10 19:54:20 +00:00			`* Science-ation Website: https://science-ation.ca/`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`*`
			`* Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>`
			`* Copyright (C) 2005 James Grant <james@lightbox.org>`
format code 2025-02-10 19:54:20 +00:00			`* Copyright (C) 2024 AlgoLibre Inc. <science-ation@algolibre.io>`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`* Copyright (C) 2007 David Grant <dave@lightbox.org>`
			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU General Public`
			`* License as published by the Free Software Foundation, version 2.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`* General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; see the file COPYING. If not, write to`
			`* the Free Software Foundation, Inc., 59 Temple Place - Suite 330,`
			`* Boston, MA 02111-1307, USA.`
			`*/`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00			`?>`
			`<?`
format code 2025-02-10 19:54:20 +00:00			`require_once('common.inc.php');`
			`require_once('user.inc.php');`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`global $pdo;`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`$type = false;`
			`if (isset($_SESSION['users_type'])) {`
			`$type = $_SESSION['users_type'];`
			`} else {`
			`message_push(error(i18n('You must login to view that page')));`
			`header("location: {$config['SFIABDIRECTORY']}/index.php");`
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php 2007-11-17 21:59:59 +00:00			`exit;`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`}`

			`/* Make sure the user is logged in, but don't check passwd expiry */`
			`if (!isset($_SESSION['users_type'])) {`
			`message_push(error(i18n('You must login to view that page')));`
Merge all changes from branch r1284:1498 into trunk 2009-09-09 00:26:12 +00:00			`header("location: {$config['SFIABDIRECTORY']}/user_login.php?type=$type");`
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php 2007-11-17 21:59:59 +00:00			`exit;`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`}`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`if ($_SESSION['users_type'] != $type) {`
			`message_push(error(i18n('You must login to view that page')));`
			`header("location: {$config['SFIABDIRECTORY']}/user_login.php?type=$type");`
			`exit;`
			`}`
Remember the page for password changes too, and take them there 2010-01-24 06:47:09 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`if (array_key_exists('request_uri', $_SESSION))`
			`$back_link = $_SESSION['request_uri'];`
			`else`
			`$back_link = "{$type}_main.php";`
			`unset($_SESSION['request_uri']);`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`$password_expiry_days = get_value_from_array($config, "{$type}_password_expiry_days");`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`if (get_value_from_array($_POST, 'action') == 'save') {`
converted mysql to pdo 2024-12-09 01:06:15 -05:00			`$pass = $_POST['pass1'];`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`// first, lets see if they choosed the same password again (bad bad bad)`
Hash passwords in database without affecting program functionality 2025-02-01 22:04:28 +00:00			`$q = $pdo->prepare("SELECT password FROM users WHERE id=?");`
			`$q->execute([$_SESSION['users_id']]);`
			`$hash = $q->fetch(PDO::FETCH_ASSOC)['password'];`

			`if (password_verify($pass, $hash))`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`message_push(error(i18n('You cannot choose the same password again. Please choose a different password')));`
			`else if (!$_POST['pass1'])`
			`message_push(error(i18n('New Password is required')));`
			`else if ($_POST['pass1'] != $_POST['pass2'])`
			`message_push(error(i18n('Passwords do not match')));`
			`else if (user_valid_password($_POST['pass1']) == false)`
			`message_push(error(i18n('The password contains invalid characters or is not long enough')));`
- Change the password expiry mechanism to always check {$type}_password_expiry_days. This allows the $config variable to be updated and everyones password will expire based on the new value. To implement this, the password expiry column in the users table has been changed to passwordset, and a PHP script is used to convert the expiry dates to set dates (based on the _password_expiry_days) - Cleanup the password entry checking - Load all config variables for the db_update.php script. Just in case an update script wants access to $config 2007-12-21 08:38:13 +00:00			`else {`
- Move all the password handling code into one function (not duplicated/spread over 3 files) - Fix a bug to always save the old password (unless it was a reset password) - Fix a bug to save the old password even when the user sets a new one 2008-07-09 17:02:11 +00:00			`user_set_password($_SESSION['users_id'], $pass);`
- Change the password expiry mechanism to always check {$type}_password_expiry_days. This allows the $config variable to be updated and everyones password will expire based on the new value. To implement this, the password expiry column in the users table has been changed to passwordset, and a PHP script is used to convert the expiry dates to set dates (based on the _password_expiry_days) - Cleanup the password entry checking - Load all config variables for the db_update.php script. Just in case an update script wants access to $config 2007-12-21 08:38:13 +00:00			`unset($_SESSION['password_expired']);`
- Put the nav bar in the password change page 2007-11-16 07:43:02 +00:00
Merge all changes from branch r1284:1498 into trunk 2009-09-09 00:26:12 +00:00			`message_push(happy(i18n('Your password has been successfully updated')));`
			`header("location: $back_link");`
- Put the nav bar in the password change page 2007-11-16 07:43:02 +00:00			`exit;`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00			`}`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`}`

format code 2025-02-10 19:54:20 +00:00			`send_header(`
			`"{$user_what[$type]} - Change Password",`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00			`array("{$user_what[$type]} Registration" => "{$type}_main.php"),`
format code 2025-02-10 19:54:20 +00:00			`'change_password'`
			`);`
Resolve errors, improve code style, and remove legacy dependencies 2025-01-29 03:30:48 +00:00
			`if (get_value_from_array($_SESSION, 'password_expired') == true) {`
			`echo i18n('Your password has expired. You must choose a new password now.');`
			`}`

			`echo "<form name=\"changepassform\" method=\"post\" action=\"user_password.php\">\n";`
			`echo "<input type=\"hidden\" name=\"action\" value=\"save\" />\n";`
			`echo "<table>\n";`

			`echo '<br />';`
			`echo '<table>';`
			`echo '<tr><td>';`
			`echo i18n('Enter New Password:');`
			`echo '</td><td>';`
			`echo '<input type="password" size="10" name="pass1">';`
			`echo '</td></tr>';`
			`echo '<tr><td>';`
			`echo i18n('Confirm New Password:');`
			`echo '</td><td>';`
			`echo '<input type="password" size="10" name="pass2">';`
			`echo '</td></tr>';`

			`echo '</table>';`
			`echo '<input type="submit" value="' . i18n('Change Password') . "\" />\n";`
			`echo '</form>';`
			`echo '<br />';`
			`echo '<div style="font-size: 0.75em;">' . i18n('Passwords must be be between 6 and 32 characters, and may NOT contain any quote or a backslash.') . '</div>';`
- New user and volunteer signup system 2007-11-16 06:30:42 +00:00
			`send_footer();`
			`?>`