diff --git a/user.inc.php b/user.inc.php index b5f0b1a..6af94ab 100644 --- a/user.inc.php +++ b/user.inc.php @@ -174,6 +174,36 @@ function user_load($user, $load_full=false) return $ret; } +function user_set_password($id, $password = NULL) +{ + /* pass $u by reference so we can update it */ + $save_old = false; + if($password == NULL) { + $q = mysql_query("SELECT passwordset FROM users WHERE id='$id'"); + $u = mysql_fetch_assoc($q); + /* Generate a new password */ + $password = generatePassword(12); + /* save the old password only if it's not an auto-generated one */ + if($u['passwordset'] != '0000-00-00') $save_old = true; + /* Expire the password */ + $save_set = "'0000-00-00'"; + } else { + /* Set the password, no expiry, save the old */ + $save_old = true; + $save_set = 'NOW()'; + } + + $p = mysql_escape_string($password); + $set = ($save_old == true) ? 'oldpassword=password, ' : ''; + $set .= "password='$p', passwordset=$save_set "; + + $query = "UPDATE users SET $set WHERE id='$id'"; + mysql_query($query); + echo mysql_error(); + + return $password; +} + function user_save_volunteer($u) { @@ -216,7 +246,7 @@ function user_save_fair($u) function user_save($u) { - $fields = array('firstname','lastname','username','password', + $fields = array('firstname','lastname','username', 'email', 'phonehome','phonework','phonecell','fax','organization', 'address','address2','city','province','postalcode','sex', @@ -233,7 +263,6 @@ function user_save($u) $data = mysql_escape_string(stripslashes($u[$f])); $set .= "$f='$data'"; - if($f=="password") $set.=",passwordset=NOW()"; } //echo "
";
 	//print_r($u);
@@ -245,14 +274,16 @@ function user_save($u)
 		echo mysql_error();
 	}
 
+	/* Save the password if it changed */
+	if($u['password'] != $u['orig']['password']) 
+		user_set_password($u['id'], $u['password']);
+
 	/* If this was a full load, do a full save */
 	if($u['load_full'] == true) {
 		foreach($u['types'] as $t) {
 			call_user_func("user_save_$t", $u);
 		}
 	}
-
-			
 }
 
 
@@ -341,6 +372,7 @@ function user_create($type, $u = NULL)
 		mysql_query("INSERT INTO users (`types`,`passwordset`,`created`) 
 				VALUES ('$type', '0000-00-00', NOW())");
 		$uid = mysql_insert_id();
+		user_set_password($uid, NULL);
 	} else {
 		/* The user has been specified and already exists,
 		 * just add a role */
diff --git a/user_login.php b/user_login.php
index 920081b..46cba42 100644
--- a/user_login.php
+++ b/user_login.php
@@ -295,14 +295,8 @@
 				exit;
 			}
 
-			$password = generatePassword(12);
-
-			/* Save their old password so it can be recovered if someone is just trying
-			 * to reset someones password */
-			mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");
-
-			/* Set the new password, and force it to expire  */
-			mysql_query("UPDATE users SET password='$password',passwordset='0000-00-00' WHERE id={$r->id}");
+			/* Reset the password, and force it to expire */
+			$password = user_set_password($r->id, NULL);
 
 			/* volunteer_recover_password, judge_recover_password, student_recover_password,
 				committee_recover_password */
diff --git a/user_new.php b/user_new.php
index 749c67f..23cacb2 100644
--- a/user_new.php
+++ b/user_new.php
@@ -175,22 +175,19 @@
 	/* If we havne't encountered a break; or an exit; yet, then go ahead
 	 * and create the account */
 
-	/* Generate a password */
-	$password = generatePassword(12);
-
-	/* Add the user */
+	/* Add the user, user_create sets a random/expired password,
+	 * so we'll just use that */
 	$u = user_create($type);
 	$u['firstname'] = $data_fn;
 	$u['lastname'] = $data_ln;
 	$u['username'] = $data_email;
-	$u['password'] = $password;
 	$u['email'] = $data_email;
 	user_save($u);
 
 	/* Send the email */
 	email_send($welcome_email, $data_email,
 			array("FAIRNAME"=>i18n($config['fairname'])),
-			array("PASSWORD"=>$password,
+			array("PASSWORD"=>$u['password'],
 				"EMAIL"=>$data_email)
 		);
 
diff --git a/user_password.php b/user_password.php
index ff18772..a6c2244 100644
--- a/user_password.php
+++ b/user_password.php
@@ -66,10 +66,7 @@
 	else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch';
 	else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars';
 	else {
-		mysql_query("UPDATE users SET 
-					password='$pass', 
-					passwordset=NOW()
-				WHERE id='{$_SESSION['users_id']}'");
+		user_set_password($_SESSION['users_id'], $pass);
 		unset($_SESSION['password_expired']);
 
 		header("location: $back_link?notice=password_changed");