- Move all the password handling code into one function (not duplicated/spread

over 3 files)
- Fix a bug to always save the old password (unless it was a reset password)
- Fix a bug to save the old password even when the user sets a new one
This commit is contained in:
dave 2008-07-09 17:02:11 +00:00
parent 5ed0135442
commit a9318b6303
4 changed files with 42 additions and 22 deletions

View File

@ -174,6 +174,36 @@ function user_load($user, $load_full=false)
return $ret; return $ret;
} }
function user_set_password($id, $password = NULL)
{
/* pass $u by reference so we can update it */
$save_old = false;
if($password == NULL) {
$q = mysql_query("SELECT passwordset FROM users WHERE id='$id'");
$u = mysql_fetch_assoc($q);
/* Generate a new password */
$password = generatePassword(12);
/* save the old password only if it's not an auto-generated one */
if($u['passwordset'] != '0000-00-00') $save_old = true;
/* Expire the password */
$save_set = "'0000-00-00'";
} else {
/* Set the password, no expiry, save the old */
$save_old = true;
$save_set = 'NOW()';
}
$p = mysql_escape_string($password);
$set = ($save_old == true) ? 'oldpassword=password, ' : '';
$set .= "password='$p', passwordset=$save_set ";
$query = "UPDATE users SET $set WHERE id='$id'";
mysql_query($query);
echo mysql_error();
return $password;
}
function user_save_volunteer($u) function user_save_volunteer($u)
{ {
@ -216,7 +246,7 @@ function user_save_fair($u)
function user_save($u) function user_save($u)
{ {
$fields = array('firstname','lastname','username','password', $fields = array('firstname','lastname','username',
'email', 'email',
'phonehome','phonework','phonecell','fax','organization', 'phonehome','phonework','phonecell','fax','organization',
'address','address2','city','province','postalcode','sex', 'address','address2','city','province','postalcode','sex',
@ -233,7 +263,6 @@ function user_save($u)
$data = mysql_escape_string(stripslashes($u[$f])); $data = mysql_escape_string(stripslashes($u[$f]));
$set .= "$f='$data'"; $set .= "$f='$data'";
if($f=="password") $set.=",passwordset=NOW()";
} }
//echo "<pre>"; //echo "<pre>";
//print_r($u); //print_r($u);
@ -245,14 +274,16 @@ function user_save($u)
echo mysql_error(); echo mysql_error();
} }
/* Save the password if it changed */
if($u['password'] != $u['orig']['password'])
user_set_password($u['id'], $u['password']);
/* If this was a full load, do a full save */ /* If this was a full load, do a full save */
if($u['load_full'] == true) { if($u['load_full'] == true) {
foreach($u['types'] as $t) { foreach($u['types'] as $t) {
call_user_func("user_save_$t", $u); call_user_func("user_save_$t", $u);
} }
} }
} }
@ -341,6 +372,7 @@ function user_create($type, $u = NULL)
mysql_query("INSERT INTO users (`types`,`passwordset`,`created`) mysql_query("INSERT INTO users (`types`,`passwordset`,`created`)
VALUES ('$type', '0000-00-00', NOW())"); VALUES ('$type', '0000-00-00', NOW())");
$uid = mysql_insert_id(); $uid = mysql_insert_id();
user_set_password($uid, NULL);
} else { } else {
/* The user has been specified and already exists, /* The user has been specified and already exists,
* just add a role */ * just add a role */

View File

@ -295,14 +295,8 @@
exit; exit;
} }
$password = generatePassword(12); /* Reset the password, and force it to expire */
$password = user_set_password($r->id, NULL);
/* Save their old password so it can be recovered if someone is just trying
* to reset someones password */
mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");
/* Set the new password, and force it to expire */
mysql_query("UPDATE users SET password='$password',passwordset='0000-00-00' WHERE id={$r->id}");
/* volunteer_recover_password, judge_recover_password, student_recover_password, /* volunteer_recover_password, judge_recover_password, student_recover_password,
committee_recover_password */ committee_recover_password */

View File

@ -175,22 +175,19 @@
/* If we havne't encountered a break; or an exit; yet, then go ahead /* If we havne't encountered a break; or an exit; yet, then go ahead
* and create the account */ * and create the account */
/* Generate a password */ /* Add the user, user_create sets a random/expired password,
$password = generatePassword(12); * so we'll just use that */
/* Add the user */
$u = user_create($type); $u = user_create($type);
$u['firstname'] = $data_fn; $u['firstname'] = $data_fn;
$u['lastname'] = $data_ln; $u['lastname'] = $data_ln;
$u['username'] = $data_email; $u['username'] = $data_email;
$u['password'] = $password;
$u['email'] = $data_email; $u['email'] = $data_email;
user_save($u); user_save($u);
/* Send the email */ /* Send the email */
email_send($welcome_email, $data_email, email_send($welcome_email, $data_email,
array("FAIRNAME"=>i18n($config['fairname'])), array("FAIRNAME"=>i18n($config['fairname'])),
array("PASSWORD"=>$password, array("PASSWORD"=>$u['password'],
"EMAIL"=>$data_email) "EMAIL"=>$data_email)
); );

View File

@ -66,10 +66,7 @@
else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch'; else if($_POST['pass1'] != $_POST['pass2']) $notice = 'nomatch';
else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars'; else if(user_valid_password($_POST['pass1']) == false) $notice = 'invalidchars';
else { else {
mysql_query("UPDATE users SET user_set_password($_SESSION['users_id'], $pass);
password='$pass',
passwordset=NOW()
WHERE id='{$_SESSION['users_id']}'");
unset($_SESSION['password_expired']); unset($_SESSION['password_expired']);
header("location: $back_link?notice=password_changed"); header("location: $back_link?notice=password_changed");