1<?php
2# MantisBT - A PHP based bugtracking system
3
4# MantisBT is free software: you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation, either version 2 of the License, or
7# (at your option) any later version.
8#
9# MantisBT is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
16
17/**
18 * This page updates a user's information
19 * If an account is protected then changes are forbidden
20 * The page gets redirected back to account_page.php
21 *
22 * @package MantisBT
23 * @copyright Copyright 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
24 * @copyright Copyright 2002  MantisBT Team - mantisbt-dev@lists.sourceforge.net
25 * @link http://www.mantisbt.org
26 *
27 * @uses core.php
28 * @uses authentication_api.php
29 * @uses config_api.php
30 * @uses constant_inc.php
31 * @uses current_user_api.php
32 * @uses email_api.php
33 * @uses form_api.php
34 * @uses gpc_api.php
35 * @uses html_api.php
36 * @uses lang_api.php
37 * @uses print_api.php
38 * @uses string_api.php
39 * @uses user_api.php
40 * @uses utility_api.php
41 */
42
43require_once( 'core.php' );
44require_api( 'authentication_api.php' );
45require_api( 'config_api.php' );
46require_api( 'constant_inc.php' );
47require_api( 'current_user_api.php' );
48require_api( 'email_api.php' );
49require_api( 'form_api.php' );
50require_api( 'gpc_api.php' );
51require_api( 'html_api.php' );
52require_api( 'lang_api.php' );
53require_api( 'print_api.php' );
54require_api( 'string_api.php' );
55require_api( 'user_api.php' );
56require_api( 'utility_api.php' );
57
58form_security_validate( 'account_update' );
59
60# If token is set, it's a password reset request from verify.php, and if
61# not we need to reauthenticate the user
62$t_verify_user_id = gpc_get( 'verify_user_id', false );
63$t_account_verification = $t_verify_user_id ? token_get_value( TOKEN_ACCOUNT_VERIFY, $t_verify_user_id ) : false;
64if( !$t_account_verification ) {
65	auth_reauthenticate();
66	$t_user_id = auth_get_current_user_id();
67} else {
68	# set a temporary cookie so the login information is passed between pages.
69	auth_set_cookies( $t_verify_user_id, false );
70	# fake login so the user can set their password
71	auth_attempt_script_login( user_get_username( $t_verify_user_id ) );
72	$t_user_id = $t_verify_user_id;
73}
74
75auth_ensure_user_authenticated();
76current_user_ensure_unprotected();
77
78$f_email           	= gpc_get_string( 'email', '' );
79$f_realname        	= gpc_get_string( 'realname', '' );
80$f_password_current = gpc_get_string( 'password_current', '' );
81$f_password        	= gpc_get_string( 'password', '' );
82$f_password_confirm	= gpc_get_string( 'password_confirm', '' );
83
84$t_redirect_url = 'index.php';
85
86$t_update_email = false;
87$t_update_password = false;
88$t_update_realname = false;
89
90# Do not allow blank passwords in account verification/reset
91if( $t_account_verification && is_blank( $f_password ) ) {
92	# log out of the temporary login used by verification
93	auth_clear_cookies();
94	auth_logout();
95	error_parameters( lang_get( 'password' ) );
96	trigger_error( ERROR_EMPTY_FIELD, ERROR );
97}
98
99$t_ldap = ( LDAP == config_get_global( 'login_method' ) );
100
101# Update email (but only if LDAP isn't being used)
102# Do not update email for a user verification
103if( !( $t_ldap && config_get_global( 'use_ldap_email' ) )
104	&& !$t_account_verification ) {
105	if( !is_blank( $f_email ) && $f_email != user_get_email( $t_user_id ) ) {
106		$t_update_email = true;
107	}
108}
109
110# Update real name (but only if LDAP isn't being used)
111if( !( $t_ldap && config_get_global( 'use_ldap_realname' ) ) ) {
112	# strip extra spaces from real name
113	$t_realname = string_normalize( $f_realname );
114	if( $t_realname != user_get_field( $t_user_id, 'realname' ) ) {
115		$t_update_realname = true;
116	}
117}
118
119# Update password if the two match and are not empty
120if( !is_blank( $f_password ) ) {
121	if( $f_password != $f_password_confirm ) {
122		if( $t_account_verification ) {
123			# log out of the temporary login used by verification
124			auth_clear_cookies();
125			auth_logout();
126		}
127		trigger_error( ERROR_USER_CREATE_PASSWORD_MISMATCH, ERROR );
128	} else {
129		if( !$t_account_verification && !auth_does_password_match( $t_user_id, $f_password_current ) ) {
130			trigger_error( ERROR_USER_CURRENT_PASSWORD_MISMATCH, ERROR );
131		}
132
133		if( !auth_does_password_match( $t_user_id, $f_password ) ) {
134			$t_update_password = true;
135		}
136	}
137}
138
139layout_page_header( null, $t_redirect_url );
140
141layout_page_begin();
142
143$t_message = '';
144
145if( $t_update_email ) {
146	user_set_email( $t_user_id, $f_email );
147	$t_message .= lang_get( 'email_updated' );
148}
149
150if( $t_update_password ) {
151	user_set_password( $t_user_id, $f_password );
152	$t_message = is_blank( $t_message ) ? '' : $t_message . '<br />';
153	$t_message .= lang_get( 'password_updated' );
154
155	# Clear the verification token
156	if( $t_account_verification ) {
157		token_delete( TOKEN_ACCOUNT_VERIFY, $t_user_id );
158	}
159}
160
161if( $t_update_realname ) {
162	user_set_realname( $t_user_id, $t_realname );
163	$t_message = is_blank( $t_message ) ? '' : $t_message . '<br />';
164	$t_message .= lang_get( 'realname_updated' );
165}
166
167form_security_purge( 'account_update' );
168
169html_operation_successful( $t_redirect_url, $t_message );
170
171layout_page_end();
172