1<?php 2# MantisBT - A PHP based bugtracking system 3 4# MantisBT is free software: you can redistribute it and/or modify 5# it under the terms of the GNU General Public License as published by 6# the Free Software Foundation, either version 2 of the License, or 7# (at your option) any later version. 8# 9# MantisBT is distributed in the hope that it will be useful, 10# but WITHOUT ANY WARRANTY; without even the implied warranty of 11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12# GNU General Public License for more details. 13# 14# You should have received a copy of the GNU General Public License 15# along with MantisBT. If not, see <http://www.gnu.org/licenses/>. 16 17/** 18 * This page updates a user's information 19 * If an account is protected then changes are forbidden 20 * The page gets redirected back to account_page.php 21 * 22 * @package MantisBT 23 * @copyright Copyright 2000 - 2002 Kenzaburo Ito - kenito@300baud.org 24 * @copyright Copyright 2002 MantisBT Team - mantisbt-dev@lists.sourceforge.net 25 * @link http://www.mantisbt.org 26 * 27 * @uses core.php 28 * @uses authentication_api.php 29 * @uses config_api.php 30 * @uses constant_inc.php 31 * @uses current_user_api.php 32 * @uses email_api.php 33 * @uses form_api.php 34 * @uses gpc_api.php 35 * @uses html_api.php 36 * @uses lang_api.php 37 * @uses print_api.php 38 * @uses string_api.php 39 * @uses user_api.php 40 * @uses utility_api.php 41 */ 42 43require_once( 'core.php' ); 44require_api( 'authentication_api.php' ); 45require_api( 'config_api.php' ); 46require_api( 'constant_inc.php' ); 47require_api( 'current_user_api.php' ); 48require_api( 'email_api.php' ); 49require_api( 'form_api.php' ); 50require_api( 'gpc_api.php' ); 51require_api( 'html_api.php' ); 52require_api( 'lang_api.php' ); 53require_api( 'print_api.php' ); 54require_api( 'string_api.php' ); 55require_api( 'user_api.php' ); 56require_api( 'utility_api.php' ); 57 58form_security_validate( 'account_update' ); 59 60# If token is set, it's a password reset request from verify.php, and if 61# not we need to reauthenticate the user 62$t_verify_user_id = gpc_get( 'verify_user_id', false ); 63$t_account_verification = $t_verify_user_id ? token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) : false; 64if( !$t_account_verification ) { 65 auth_reauthenticate(); 66 $t_user_id = auth_get_current_user_id(); 67} else { 68 # set a temporary cookie so the login information is passed between pages. 69 auth_set_cookies( $t_verify_user_id, false ); 70 # fake login so the user can set their password 71 auth_attempt_script_login( user_get_username( $t_verify_user_id ) ); 72 $t_user_id = $t_verify_user_id; 73} 74 75auth_ensure_user_authenticated(); 76current_user_ensure_unprotected(); 77 78$f_email = gpc_get_string( 'email', '' ); 79$f_realname = gpc_get_string( 'realname', '' ); 80$f_password_current = gpc_get_string( 'password_current', '' ); 81$f_password = gpc_get_string( 'password', '' ); 82$f_password_confirm = gpc_get_string( 'password_confirm', '' ); 83 84$t_redirect_url = 'index.php'; 85 86$t_update_email = false; 87$t_update_password = false; 88$t_update_realname = false; 89 90# Do not allow blank passwords in account verification/reset 91if( $t_account_verification && is_blank( $f_password ) ) { 92 # log out of the temporary login used by verification 93 auth_clear_cookies(); 94 auth_logout(); 95 error_parameters( lang_get( 'password' ) ); 96 trigger_error( ERROR_EMPTY_FIELD, ERROR ); 97} 98 99$t_ldap = ( LDAP == config_get_global( 'login_method' ) ); 100 101# Update email (but only if LDAP isn't being used) 102# Do not update email for a user verification 103if( !( $t_ldap && config_get_global( 'use_ldap_email' ) ) 104 && !$t_account_verification ) { 105 if( !is_blank( $f_email ) && $f_email != user_get_email( $t_user_id ) ) { 106 $t_update_email = true; 107 } 108} 109 110# Update real name (but only if LDAP isn't being used) 111if( !( $t_ldap && config_get_global( 'use_ldap_realname' ) ) ) { 112 # strip extra spaces from real name 113 $t_realname = string_normalize( $f_realname ); 114 if( $t_realname != user_get_field( $t_user_id, 'realname' ) ) { 115 $t_update_realname = true; 116 } 117} 118 119# Update password if the two match and are not empty 120if( !is_blank( $f_password ) ) { 121 if( $f_password != $f_password_confirm ) { 122 if( $t_account_verification ) { 123 # log out of the temporary login used by verification 124 auth_clear_cookies(); 125 auth_logout(); 126 } 127 trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR ); 128 } else { 129 if( !$t_account_verification && !auth_does_password_match( $t_user_id, $f_password_current ) ) { 130 trigger_error( ERROR_USER_CURRENT_PASSWORD_MISMATCH, ERROR ); 131 } 132 133 if( !auth_does_password_match( $t_user_id, $f_password ) ) { 134 $t_update_password = true; 135 } 136 } 137} 138 139layout_page_header( null, $t_redirect_url ); 140 141layout_page_begin(); 142 143$t_message = ''; 144 145if( $t_update_email ) { 146 user_set_email( $t_user_id, $f_email ); 147 $t_message .= lang_get( 'email_updated' ); 148} 149 150if( $t_update_password ) { 151 user_set_password( $t_user_id, $f_password ); 152 $t_message = is_blank( $t_message ) ? '' : $t_message . '<br />'; 153 $t_message .= lang_get( 'password_updated' ); 154 155 # Clear the verification token 156 if( $t_account_verification ) { 157 token_delete( TOKEN_ACCOUNT_VERIFY, $t_user_id ); 158 } 159} 160 161if( $t_update_realname ) { 162 user_set_realname( $t_user_id, $t_realname ); 163 $t_message = is_blank( $t_message ) ? '' : $t_message . '<br />'; 164 $t_message .= lang_get( 'realname_updated' ); 165} 166 167form_security_purge( 'account_update' ); 168 169html_operation_successful( $t_redirect_url, $t_message ); 170 171layout_page_end(); 172