body<= "href='$LJ::SITEROOT/lostinfo.bml'"})) if $aa->{'used'} eq 'Y'; return BML::redirect("$LJ::SITEROOT/lostinfo.bml") unless $aa->{action} eq 'reset_password'; # confirmed the identity... $authu = LJ::load_userid($aa->{userid}); # verify the email can still receive passwords return LJ::bad_input(BML::ml('.error.emailchanged', { 'aopts' => "href='$LJ::SITEROOT/lostinfo.bml'"})) unless $authu->can_receive_password($aa->{arg1}); } my $update_form = sub { my $ret; # else, show the form to change: $ret .= "

\n"; $ret .= LJ::html_hidden(mode => 'submit', ssl => $GET{'ssl'}); my $remote = LJ::get_remote(); return "" if $remote && $remote->is_identity; if (!$remote || !$remote->prop('badpassword')) { $ret .= "\n"; $ret .= "\n"; } # Warn them if logged in and not validated if (!$authu && $remote && !$remote->prop('badpassword') && !LJ::did_post() && $remote->{'status'} ne 'A') { $ret .= "$ML{'label.warning'} $ML{'.error.notvalidated'} warningbar?>"; $ret .= "
"; } if ($remote && $remote->prop('badpassword')) { $ret .= ""; $ret .= $ML{'.forcechange'}; $ret .= " warningbar?>
"; } $ret .= "\n"; # we make the field for the new password *longer* than the max length # for a password - that way we can tell if someone is trying to use an # excessively long password, instead of silently truncating it. if ($authu) { $ret .= $authu->ljuser_display . "
\n"; } else { my $hval = LJ::ehtml($remote ? $remote->{'user'} : $POST{'user'}); $ret .= "
\n"; $ret .= "$ML{'.oldpassword'}
\n"; $ret .= "
\n"; } $ret .= "$ML{'.newpassword'}
\n"; $ret .= "
\n"; $ret .= "$ML{'.newpasswordagain'}
\n"; $ret .= "
\n"; $ret .= "standout?>\n"; $ret .= "\n"; $ret .= "\n"; $ret .= "\n"; $ret .= "standout?>\n"; $ret .= "

\n"; return $ret; }; unless (LJ::did_post()) { $body .= $update_form->(); } elsif ($POST{'mode'} eq 'submit') { my $user = $authu ? $authu->user : LJ::canonical_username($POST{'user'}); my $password = $POST{'password'}; my $newpass1 = LJ::trim($POST{'newpass1'}); my $newpass2 = LJ::trim($POST{'newpass2'}); my $remote = LJ::get_remote(); my $u = LJ::load_user($user); unless ($u) { $body .= LJ::error_list("Invalid user"); return $body; } return "" if $u->is_identity; $u->prop('badpassword'); my @errors = (); if (grep { $user eq $_ } @LJ::TESTACCTS) { push @errors, $ML{'.error.changetestaccount'}; } unless ($user) { push @errors, $ML{'.error.mustenterusername'}; } else { unless (defined $u) { push @errors, BML::ml('.error.invaliduser', {'user' => $user} ); } else { if (LJ::login_ip_banned($u)) { push @errors, $ML{'error.ipbanned'}; } elsif (!$authu && ($u->password eq "" || $u->password ne $password)) { push @errors, $ML{'.error.badoldpassword'}; LJ::handle_bad_login($u); } } } if ($newpass1 ne $newpass2) { push @errors, $ML{'.error.badnewpassword'}; } else { if ($newpass1 eq "") { push @errors, $ML{'.error.blankpassword'}; } elsif (length $newpass1 > 30) { push @errors, $ML{'.error.characterlimit'}; } else { my $checkpass = LJ::run_hook("bad_password", { 'u' => $u, 'password' => $newpass1, }); if ($checkpass) { push @errors, BML::ml('.error.badcheck', {'error' => $checkpass}); } } } # don't allow changes if email address is not validated, unless they # have a bad password or got the reset email if ($u->{'status'} ne 'A' && !$u->prop('badpassword') && !$authu) { push @errors, $ML{'.error.notvalidated'}; } unless (LJ::is_ascii($newpass1)) { push @errors, $ML{'.error.nonascii'}; } if (@errors) { $body .= LJ::error_list(@errors); $body .= $update_form->(); return $body; } ## make note of changed password my $dbh = LJ::get_db_writer(); my $oldval = Digest::MD5::md5_hex($u->password . "change"); LJ::infohistory_add($u, 'password', $oldval); $u->log_event('password_change', { remote => $remote }); LJ::update_user($u, { password => $POST{'newpass1'} }); # if we used an authcode, we'll need to expire it now LJ::mark_authaction_used($aa) if $authu; # If we forced them to change their password, mark them as now being good unless ($LJ::DISABLED{'force_pass_change'}) { $u->set_prop('badpassword', 0); } # Kill all sessions, forcing user to relogin $u->kill_all_sessions; LJ::send_mail({ 'to' => $u->email_raw, 'from' => $LJ::ADMIN_EMAIL, 'fromname' => $LJ::SITENAME, 'charset' => 'utf-8', 'subject' => $ML{'.email.subject'}, 'body' => BML::ml('.email.body2', { sitename => $LJ::SITENAME, siteroot => $LJ::SITEROOT, username => $u->{user}, }), }); $body = ""; # if they were logged in, tell them to relogin $body .= " "href='/login.bml'" }) . " p?>" if $remote; LJ::run_hooks("post_changepassword", { "u" => $u, "newpassword" => $POST{'newpass1'}, "oldpassword" => $u->password, }); LJ::run_hook('user_login', $u); } return $body; _code?> <=body page?> post: htdocs/changepassword.bml lib: Digest::MD5 hook: post_changepassword _c?>