[b354002] | 1 | <?php |
---|
| 2 | |
---|
| 3 | /** |
---|
| 4 | * @file |
---|
| 5 | * User page callback file for the user module. |
---|
| 6 | */ |
---|
| 7 | |
---|
| 8 | /** |
---|
| 9 | * Menu callback; Retrieve a JSON object containing autocomplete suggestions for existing users. |
---|
| 10 | */ |
---|
| 11 | function user_autocomplete($string = '') { |
---|
| 12 | $matches = array(); |
---|
| 13 | if ($string) { |
---|
| 14 | $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER('%s%%')", $string, 0, 10); |
---|
| 15 | while ($user = db_fetch_object($result)) { |
---|
| 16 | $matches[$user->name] = check_plain($user->name); |
---|
| 17 | } |
---|
| 18 | } |
---|
| 19 | |
---|
| 20 | drupal_json($matches); |
---|
| 21 | } |
---|
| 22 | |
---|
| 23 | /** |
---|
| 24 | * Form builder; Request a password reset. |
---|
| 25 | * |
---|
| 26 | * @ingroup forms |
---|
| 27 | * @see user_pass_validate() |
---|
| 28 | * @see user_pass_submit() |
---|
| 29 | */ |
---|
| 30 | function user_pass() { |
---|
| 31 | $form['name'] = array( |
---|
| 32 | '#type' => 'textfield', |
---|
| 33 | '#title' => t('Username or e-mail address'), |
---|
| 34 | '#size' => 60, |
---|
| 35 | '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH), |
---|
| 36 | '#required' => TRUE, |
---|
| 37 | ); |
---|
| 38 | $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password')); |
---|
| 39 | |
---|
| 40 | return $form; |
---|
| 41 | } |
---|
| 42 | |
---|
| 43 | function user_pass_validate($form, &$form_state) { |
---|
| 44 | $name = trim($form_state['values']['name']); |
---|
| 45 | |
---|
| 46 | |
---|
| 47 | // Try to load by email. |
---|
| 48 | $account = user_load(array('mail' => $name, 'status' => 1)); |
---|
| 49 | if (!$account) { |
---|
| 50 | // No success, try to load by name. |
---|
| 51 | $account = user_load(array('name' => $name, 'status' => 1)); |
---|
| 52 | } |
---|
| 53 | if ($account) { |
---|
| 54 | // Blocked accounts cannot request a new password, |
---|
| 55 | // check provided username and email against access rules. |
---|
| 56 | if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) { |
---|
| 57 | form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name))); |
---|
| 58 | } |
---|
| 59 | } |
---|
| 60 | if (isset($account->uid)) { |
---|
| 61 | form_set_value(array('#parents' => array('account')), $account, $form_state); |
---|
| 62 | } |
---|
| 63 | else { |
---|
| 64 | form_set_error('name', t('Sorry, %name is not recognized as a user name or an e-mail address.', array('%name' => $name))); |
---|
| 65 | } |
---|
| 66 | } |
---|
| 67 | |
---|
| 68 | function user_pass_submit($form, &$form_state) { |
---|
| 69 | global $language; |
---|
| 70 | |
---|
| 71 | $account = $form_state['values']['account']; |
---|
| 72 | // Mail one time login URL and instructions using current language. |
---|
| 73 | _user_mail_notify('password_reset', $account, $language); |
---|
| 74 | watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail)); |
---|
| 75 | drupal_set_message(t('Further instructions have been sent to your e-mail address.')); |
---|
| 76 | |
---|
| 77 | $form_state['redirect'] = 'user'; |
---|
| 78 | return; |
---|
| 79 | } |
---|
| 80 | |
---|
| 81 | /** |
---|
| 82 | * Menu callback; process one time login link and redirects to the user page on success. |
---|
| 83 | */ |
---|
| 84 | function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = NULL) { |
---|
| 85 | global $user; |
---|
| 86 | |
---|
| 87 | // Check if the user is already logged in. The back button is often the culprit here. |
---|
| 88 | if ($user->uid) { |
---|
| 89 | drupal_set_message(t('You have already used this one-time login link. It is not necessary to use this link to login anymore. You are already logged in.')); |
---|
| 90 | drupal_goto(); |
---|
| 91 | } |
---|
| 92 | else { |
---|
| 93 | // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds. |
---|
| 94 | $timeout = 86400; |
---|
| 95 | $current = time(); |
---|
| 96 | // Some redundant checks for extra security ? |
---|
| 97 | if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) { |
---|
| 98 | // Deny one-time login to blocked accounts. |
---|
| 99 | if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) { |
---|
| 100 | drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error'); |
---|
| 101 | drupal_goto(); |
---|
| 102 | } |
---|
| 103 | |
---|
| 104 | // No time out for first time login. |
---|
| 105 | if ($account->login && $current - $timestamp > $timeout) { |
---|
| 106 | drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.')); |
---|
| 107 | drupal_goto('user/password'); |
---|
| 108 | } |
---|
[52861f4] | 109 | else if ($account->uid && $timestamp > $account->login && $timestamp < $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid)) { |
---|
[b354002] | 110 | // First stage is a confirmation form, then login |
---|
| 111 | if ($action == 'login') { |
---|
| 112 | watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); |
---|
| 113 | // Set the new user. |
---|
| 114 | $user = $account; |
---|
| 115 | // user_authenticate_finalize() also updates the login timestamp of the |
---|
| 116 | // user, which invalidates further use of the one-time login link. |
---|
| 117 | user_authenticate_finalize($form_state['values']); |
---|
| 118 | drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); |
---|
| 119 | drupal_goto('user/'. $user->uid .'/edit'); |
---|
| 120 | } |
---|
| 121 | else { |
---|
| 122 | $form['message'] = array('#value' => t('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to login to the site and change your password.</p>', array('%user_name' => $account->name, '%expiration_date' => format_date($timestamp + $timeout)))); |
---|
| 123 | $form['help'] = array('#value' => '<p>'. t('This login can be used only once.') .'</p>'); |
---|
| 124 | $form['submit'] = array('#type' => 'submit', '#value' => t('Log in')); |
---|
| 125 | $form['#action'] = url("user/reset/$uid/$timestamp/$hashed_pass/login"); |
---|
| 126 | return $form; |
---|
| 127 | } |
---|
| 128 | } |
---|
| 129 | else { |
---|
| 130 | drupal_set_message(t('You have tried to use a one-time login link which has either been used or is no longer valid. Please request a new one using the form below.')); |
---|
| 131 | drupal_goto('user/password'); |
---|
| 132 | } |
---|
| 133 | } |
---|
| 134 | else { |
---|
| 135 | // Deny access, no more clues. |
---|
| 136 | // Everything will be in the watchdog's URL for the administrator to check. |
---|
| 137 | drupal_access_denied(); |
---|
| 138 | } |
---|
| 139 | } |
---|
| 140 | } |
---|
| 141 | |
---|
| 142 | /** |
---|
| 143 | * Menu callback; logs the current user out, and redirects to the home page. |
---|
| 144 | */ |
---|
| 145 | function user_logout() { |
---|
| 146 | global $user; |
---|
| 147 | |
---|
| 148 | watchdog('user', 'Session closed for %name.', array('%name' => $user->name)); |
---|
| 149 | |
---|
| 150 | // Destroy the current session: |
---|
| 151 | session_destroy(); |
---|
| 152 | // Only variables can be passed by reference workaround. |
---|
| 153 | $null = NULL; |
---|
| 154 | user_module_invoke('logout', $null, $user); |
---|
| 155 | |
---|
| 156 | // Load the anonymous user |
---|
| 157 | $user = drupal_anonymous_user(); |
---|
| 158 | |
---|
| 159 | drupal_goto(); |
---|
| 160 | } |
---|
| 161 | |
---|
| 162 | /** |
---|
| 163 | * Menu callback; Displays a user or user profile page. |
---|
| 164 | */ |
---|
| 165 | function user_view($account) { |
---|
| 166 | drupal_set_title(check_plain($account->name)); |
---|
| 167 | // Retrieve all profile fields and attach to $account->content. |
---|
| 168 | user_build_content($account); |
---|
| 169 | |
---|
| 170 | // To theme user profiles, copy modules/user/user_profile.tpl.php |
---|
| 171 | // to your theme directory, and edit it as instructed in that file's comments. |
---|
| 172 | return theme('user_profile', $account); |
---|
| 173 | } |
---|
| 174 | |
---|
| 175 | /** |
---|
| 176 | * Process variables for user-profile.tpl.php. |
---|
| 177 | * |
---|
| 178 | * The $variables array contains the following arguments: |
---|
| 179 | * - $account |
---|
| 180 | * |
---|
| 181 | * @see user-picture.tpl.php |
---|
| 182 | */ |
---|
| 183 | function template_preprocess_user_profile(&$variables) { |
---|
| 184 | $variables['profile'] = array(); |
---|
| 185 | // Sort sections by weight |
---|
| 186 | uasort($variables['account']->content, 'element_sort'); |
---|
| 187 | // Provide keyed variables so themers can print each section independantly. |
---|
| 188 | foreach (element_children($variables['account']->content) as $key) { |
---|
| 189 | $variables['profile'][$key] = drupal_render($variables['account']->content[$key]); |
---|
| 190 | } |
---|
| 191 | // Collect all profiles to make it easier to print all items at once. |
---|
| 192 | $variables['user_profile'] = implode($variables['profile']); |
---|
| 193 | } |
---|
| 194 | |
---|
| 195 | /** |
---|
| 196 | * Process variables for user-profile-item.tpl.php. |
---|
| 197 | * |
---|
| 198 | * The $variables array contains the following arguments: |
---|
| 199 | * - $element |
---|
| 200 | * |
---|
| 201 | * @see user-profile-item.tpl.php |
---|
| 202 | */ |
---|
| 203 | function template_preprocess_user_profile_item(&$variables) { |
---|
| 204 | $variables['title'] = $variables['element']['#title']; |
---|
| 205 | $variables['value'] = $variables['element']['#value']; |
---|
| 206 | $variables['attributes'] = ''; |
---|
| 207 | if (isset($variables['element']['#attributes'])) { |
---|
| 208 | $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); |
---|
| 209 | } |
---|
| 210 | } |
---|
| 211 | |
---|
| 212 | /** |
---|
| 213 | * Process variables for user-profile-category.tpl.php. |
---|
| 214 | * |
---|
| 215 | * The $variables array contains the following arguments: |
---|
| 216 | * - $element |
---|
| 217 | * |
---|
| 218 | * @see user-profile-category.tpl.php |
---|
| 219 | */ |
---|
| 220 | function template_preprocess_user_profile_category(&$variables) { |
---|
| 221 | $variables['title'] = check_plain($variables['element']['#title']); |
---|
| 222 | $variables['profile_items'] = $variables['element']['#children']; |
---|
| 223 | $variables['attributes'] = ''; |
---|
| 224 | if (isset($variables['element']['#attributes'])) { |
---|
| 225 | $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); |
---|
| 226 | } |
---|
| 227 | } |
---|
| 228 | |
---|
| 229 | /** |
---|
| 230 | * Form builder; Present the form to edit a given user or profile category. |
---|
| 231 | * |
---|
| 232 | * @ingroup forms |
---|
| 233 | * @see user_edit_validate() |
---|
| 234 | * @see user_edit_submit() |
---|
| 235 | */ |
---|
| 236 | function user_edit($account, $category = 'account') { |
---|
| 237 | drupal_set_title(check_plain($account->name)); |
---|
| 238 | return drupal_get_form('user_profile_form', $account, $category); |
---|
| 239 | } |
---|
| 240 | |
---|
| 241 | /** |
---|
| 242 | * Form builder; edit a user account or one of their profile categories. |
---|
| 243 | * |
---|
| 244 | * @ingroup forms |
---|
| 245 | * @see user_profile_form_validate() |
---|
| 246 | * @see user_profile_form_submit() |
---|
| 247 | * @see user_edit_delete_submit() |
---|
| 248 | */ |
---|
| 249 | function user_profile_form($form_state, $account, $category = 'account') { |
---|
| 250 | |
---|
| 251 | $edit = (empty($form_state['values'])) ? (array)$account : $form_state['values']; |
---|
| 252 | |
---|
| 253 | $form = _user_forms($edit, $account, $category); |
---|
| 254 | $form['_category'] = array('#type' => 'value', '#value' => $category); |
---|
| 255 | $form['_account'] = array('#type' => 'value', '#value' => $account); |
---|
| 256 | $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30); |
---|
| 257 | if (user_access('administer users')) { |
---|
| 258 | $form['delete'] = array( |
---|
| 259 | '#type' => 'submit', |
---|
| 260 | '#value' => t('Delete'), |
---|
| 261 | '#weight' => 31, |
---|
| 262 | '#submit' => array('user_edit_delete_submit'), |
---|
| 263 | ); |
---|
| 264 | } |
---|
| 265 | $form['#attributes']['enctype'] = 'multipart/form-data'; |
---|
| 266 | |
---|
| 267 | return $form; |
---|
| 268 | } |
---|
| 269 | |
---|
| 270 | /** |
---|
| 271 | * Validation function for the user account and profile editing form. |
---|
| 272 | */ |
---|
| 273 | function user_profile_form_validate($form, &$form_state) { |
---|
| 274 | user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); |
---|
| 275 | // Validate input to ensure that non-privileged users can't alter protected data. |
---|
| 276 | if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { |
---|
| 277 | watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); |
---|
| 278 | // set this to a value type field |
---|
| 279 | form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); |
---|
| 280 | } |
---|
| 281 | } |
---|
| 282 | |
---|
| 283 | /** |
---|
| 284 | * Submit function for the user account and profile editing form. |
---|
| 285 | */ |
---|
| 286 | function user_profile_form_submit($form, &$form_state) { |
---|
| 287 | $account = $form_state['values']['_account']; |
---|
| 288 | $category = $form_state['values']['_category']; |
---|
| 289 | unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); |
---|
| 290 | user_module_invoke('submit', $form_state['values'], $account, $category); |
---|
| 291 | user_save($account, $form_state['values'], $category); |
---|
| 292 | |
---|
| 293 | // Clear the page cache because pages can contain usernames and/or profile information: |
---|
| 294 | cache_clear_all(); |
---|
| 295 | |
---|
| 296 | drupal_set_message(t('The changes have been saved.')); |
---|
| 297 | return; |
---|
| 298 | } |
---|
| 299 | |
---|
| 300 | /** |
---|
| 301 | * Submit function for the 'Delete' button on the user edit form. |
---|
| 302 | */ |
---|
| 303 | function user_edit_delete_submit($form, &$form_state) { |
---|
| 304 | $destination = ''; |
---|
| 305 | if (isset($_REQUEST['destination'])) { |
---|
| 306 | $destination = drupal_get_destination(); |
---|
| 307 | unset($_REQUEST['destination']); |
---|
| 308 | } |
---|
| 309 | // Note: We redirect from user/uid/edit to user/uid/delete to make the tabs disappear. |
---|
| 310 | $form_state['redirect'] = array("user/". $form_state['values']['_account']->uid ."/delete", $destination); |
---|
| 311 | } |
---|
| 312 | |
---|
| 313 | /** |
---|
| 314 | * Form builder; confirm form for user deletion. |
---|
| 315 | * |
---|
| 316 | * @ingroup forms |
---|
| 317 | * @see user_confirm_delete_submit() |
---|
| 318 | */ |
---|
| 319 | function user_confirm_delete(&$form_state, $account) { |
---|
| 320 | |
---|
| 321 | $form['_account'] = array('#type' => 'value', '#value' => $account); |
---|
| 322 | |
---|
| 323 | return confirm_form($form, |
---|
| 324 | t('Are you sure you want to delete the account %name?', array('%name' => $account->name)), |
---|
| 325 | 'user/'. $account->uid, |
---|
| 326 | t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'), |
---|
| 327 | t('Delete'), t('Cancel')); |
---|
| 328 | } |
---|
| 329 | |
---|
| 330 | /** |
---|
| 331 | * Submit function for the confirm form for user deletion. |
---|
| 332 | */ |
---|
| 333 | function user_confirm_delete_submit($form, &$form_state) { |
---|
| 334 | user_delete($form_state['values'], $form_state['values']['_account']->uid); |
---|
| 335 | drupal_set_message(t('%name has been deleted.', array('%name' => $form_state['values']['_account']->name))); |
---|
| 336 | |
---|
| 337 | if (!isset($_REQUEST['destination'])) { |
---|
| 338 | $form_state['redirect'] = 'admin/user/user'; |
---|
| 339 | } |
---|
| 340 | } |
---|
| 341 | |
---|
| 342 | function user_edit_validate($form, &$form_state) { |
---|
| 343 | user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); |
---|
| 344 | // Validate input to ensure that non-privileged users can't alter protected data. |
---|
| 345 | if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { |
---|
| 346 | watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); |
---|
| 347 | // set this to a value type field |
---|
| 348 | form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); |
---|
| 349 | } |
---|
| 350 | } |
---|
| 351 | |
---|
| 352 | function user_edit_submit($form, &$form_state) { |
---|
| 353 | $account = $form_state['values']['_account']; |
---|
| 354 | $category = $form_state['values']['_category']; |
---|
| 355 | unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); |
---|
| 356 | user_module_invoke('submit', $form_state['values'], $account, $category); |
---|
| 357 | user_save($account, $form_state['values'], $category); |
---|
| 358 | |
---|
| 359 | // Clear the page cache because pages can contain usernames and/or profile information: |
---|
| 360 | cache_clear_all(); |
---|
| 361 | |
---|
| 362 | drupal_set_message(t('The changes have been saved.')); |
---|
| 363 | return; |
---|
| 364 | } |
---|
| 365 | |
---|
| 366 | /** |
---|
| 367 | * Access callback for path /user. |
---|
| 368 | * |
---|
| 369 | * Displays user profile if user is logged in, or login form for anonymous |
---|
| 370 | * users. |
---|
| 371 | */ |
---|
| 372 | function user_page() { |
---|
| 373 | global $user; |
---|
| 374 | if ($user->uid) { |
---|
| 375 | menu_set_active_item('user/'. $user->uid); |
---|
| 376 | return menu_execute_active_handler(); |
---|
| 377 | } |
---|
| 378 | else { |
---|
| 379 | return drupal_get_form('user_login'); |
---|
| 380 | } |
---|
| 381 | } |
---|