changepswd.php 3.59 KB
Newer Older
1 2
<?php
#
3
# Copyright (c) 2000-2017 University of Utah and the Flux Group.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
#
chdir("..");
include("defs.php3");
chdir("apt");
include("quickvm_sup.php");
$page_title = "Change Password";

RedirectSecure();

#
# Verify page arguments.
#
$optargs = OptionalPageArguments("user",      PAGEARG_USER,
36
				 "key",       PAGEARG_STRING);
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

#
# We use this page for both resetting a forgotten password, and for
# a logged in user to change their password. We use the "key" argument
# to tell us its a reset.
#
if (isset($key)) {
    if (!isset($user)) {
	SPITUSERERROR("Missing user argument");
	return;
    }
    # Half the key in the URL.
    $keyB = $key;
    # We also need the other half of the key from the browser.
    $keyA = (isset($_COOKIE[$TBAUTHCOOKIE]) ? $_COOKIE[$TBAUTHCOOKIE] : "");

    # If the browser part is missing, direct user to answer
    if ((isset($keyB) && $keyB != "") && (!isset($keyA) || $keyA == "")) {
	SPITUSERERROR("Oops, not able to proceed!<br>".
		      "Please read this ".
		      "<a href='$WIKIDOCURL/kb69'>Knowledge Base Entry</a> ".
		      "to see what the likely cause is.", 1);
	return;
    }
    if (!isset($keyA) || $keyA == "" || !preg_match("/^[\w]+$/", $keyA) ||
	!isset($keyB) || $keyB == "" || !preg_match("/^[\w]+$/", $keyB)) {
	SPITUSERERROR("Invalid keys in request");
	return;
    }
    # The complete key.
    $key = $keyA . $keyB;

    if (!$user->chpasswd_key() || !$user->chpasswd_expires()) {
	SPITUSERERROR("Why are you here?");
	return;
    }
    if ($user->chpasswd_key() != $key) {
	SPITUSERERROR("Invalid key in request.");
	return;
    }
    if (time() > $user->chpasswd_expires()) {
	SPITUSERERROR("Your key has expired. Please request a
               <a href='forgotpswd.php'>new key</a>.");
	return;
    }
82 83
    $needold = 0;
    $key = "'$key'";
84 85 86 87 88
}
else {
    #
    # The user must be logged in.
    #
89 90
    $this_user = CheckLoginOrRedirect(CHECKLOGIN_USERSTATUS|
				      CHECKLOGIN_PSWDEXPIRED);
91 92 93 94 95 96 97 98 99

    # Check for admin setting another users password.
    if (!isset($user)) {
	$user = $this_user;
    }
    elseif (!$this_user->SameUser($user) && !ISADMIN()) {
	SPITUSERERROR("Not enough permission to reset password for user");
	return;
    }
100 101 102 103 104 105
    #
    # admins do not need to provide an old password when changing another
    # user password, but they need it to change their own password.
    #
    $needold = (!ISADMIN() || $this_user->SameUser($user) ? 1 : 0);
    $key = "null";
106
}
107
$uid = $user->uid();
108 109

SPITHEADER(1);
110 111 112 113 114 115 116 117 118 119 120
echo "<script>\n";
echo "window.NEEDOLD = $needold;\n";
echo "window.KEY = $key;\n";
echo "window.USER = '$uid';\n";
echo "</script>\n";
echo "<div id='page-body'></div>\n";
echo "<div id='oops_div'></div>\n";
echo "<div id='waitwait_div'></div>\n";
echo "</script>\n";

REQUIRE_UNDERSCORE();
121
REQUIRE_SUP();
122 123
REQUIRE_APTFORMS();
SPITREQUIRE("js/changepswd.js");
124

125
AddTemplateList(array("changepswd", "oops-modal", "waitwait-modal"));
126 127
SPITFOOTER();
?>