File: updatepassword.php

package info (click to toggle)
resiprocate 1%3A1.9.7-5
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 36,456 kB
  • ctags: 27,123
  • sloc: cpp: 195,346; xml: 12,515; sh: 11,986; ansic: 6,807; makefile: 2,182; php: 1,150; python: 300; objc: 91; sql: 85; perl: 21; csh: 5
file content (135 lines) | stat: -rw-r--r-- 4,879 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
<?php
require('reprofunctions.php');
dbgSquirt("============= Update Password ===============");

// check that the user has authenticated
$result = checkCookies($forceLogin,$error,FALSE);
if (!($result) || $forceLogin) {
  // we got an error back that occurred while checkCookies was being run, 
  // or authentication failed.  Either way, bounce them back to the login screen
  dbgSquirt("Authentication failed");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/index.php?error=$error");
  exit;
 }
$username = $_COOKIE['user'];

// check if we got to this page due to a submit or a cancel
dbgSquirt("Checking for cancel");
if ("Cancel" == $_POST['submit']) {
  dbgSquirt("...cancel");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/userhome.php");
  exit;
 }

// verify that a new password was provided via POST (and retyped)
dbgSquirt("Checking post");
if (!isset($_POST['current']) || !isset($_POST['newpassword']) || 
    !isset($_POST['newpassword2'])) {
  // error .. no post variables provided ... possibly because they've jumped
  // directly to this page?
  dbgSquirt("...not set");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/changepassword.php?error=No new password was provided.  Please enter one and click Save.  If this error reoccurs, contact an administrator.");
  exit;
 }

// verify that the new password is non-blank
$newPassword = $_POST['newpassword'];
dbgSquirt("Checking blank -- $newPassword");
if (empty($newPassword)) {
  // error ... requested password is blank... bounce them back to change 
  // password page
  dbgSquirt("...Empty");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/changepassword.php?error=The new password must not be blank.");
  exit;
 }

// verify that the retype of the new password matches
$newPassword2 = $_POST['newpassword2'];
dbgSquirt("Checking match -- $newPassword and $newPassword2");
if ($newPassword != $newPassword2) {
  // error ... password entries don't match... bounce them back to change 
  // password page
  dbgSquirt("...NO.  Don't match");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/changepassword.php?error=Password and retyped password don't match");
  exit;
 }

// verify that the new password is actually different
$currentPassword = $_POST['current'];
dbgSquirt("Checking that new password is different -- $newPassword and $currentPassword");
if ($newPassword == $currentPassword) {
  // error ... password entries shouldn't match ... what's the point of changing
  dbgSquirt("Trying to reuse the current password");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/changepassword.php?error=The new password is the same as the existing password.");
  exit;
 }

// make sure the current password they entered matches
$encryptedPassword = createPassword($username,$currentPassword);
$result = validateUser($username,$encryptedPassword);
dbgSquirt("Verifying current password");
if ("A" != $result) {
  // either didn't match, or user is unverified or disabled
  // only way a user should end up here and be unverified or disabled is if
  // an admin changed their account status in the middle of a session.
  // but we'll check for it anyway...
  dbgSquirt("...doesn't match an active user");
  header("Location: http://" . $_SERVER['HTTP_HOST'] . 
	 dirname($_SERVER['PHP_SELF']) . 
	 "/changepassword.php?error=Current password doesn't match an active user.  Please try again.  If you receive this error again, contact an administrator.");
  exit;
  
 }

// update the password for this user with the provided value
$encryptedPassword = createPassword($username,$newPassword);

if (updatePassword($username,$encryptedPassword)) {
  // update successful
  $title = "Password changed";
  $heading = "Password changed";
  $msg = "Password successfully updated.";
 } else {
  // update failed
  $title = "Error while changing password";
  $heading = "Error while changing password";
  $msg = "An error occurred while attempting to change your password.  Please contact an administrator.";
 }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
System:  Repro
File:    updatepassword.php
Purpose: Check permissions, verify requested change, and update password
Author:  S. Chanin
-->
<html>
<head>
<link rel="stylesheet" type="text/css" href="repro_style.css" />
  <title><?php echo $title; ?></title>
</head>

<body>
<h1 class="title">Repro</h1>
<h1><?php echo $heading; ?></h1>
<hr />
<p><?php echo $msg; ?></p>
<br /><hr />
<a href="userhome.php">Return to User Home</a><br />
<a href="logout.php">Logout</a><br />

</body>
</html>