1 | <?php |
---|
2 | |
---|
3 | /** |
---|
4 | * @file |
---|
5 | * User page callback file for the user module. |
---|
6 | */ |
---|
7 | |
---|
8 | /** |
---|
9 | * Menu callback; Retrieve a JSON object containing autocomplete suggestions for existing users. |
---|
10 | */ |
---|
11 | function user_autocomplete($string = '') { |
---|
12 | $matches = array(); |
---|
13 | if ($string) { |
---|
14 | $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER('%s%%')", $string, 0, 10); |
---|
15 | while ($user = db_fetch_object($result)) { |
---|
16 | $matches[$user->name] = check_plain($user->name); |
---|
17 | } |
---|
18 | } |
---|
19 | |
---|
20 | drupal_json($matches); |
---|
21 | } |
---|
22 | |
---|
23 | /** |
---|
24 | * Form builder; Request a password reset. |
---|
25 | * |
---|
26 | * @ingroup forms |
---|
27 | * @see user_pass_validate() |
---|
28 | * @see user_pass_submit() |
---|
29 | */ |
---|
30 | function user_pass() { |
---|
31 | $form['name'] = array( |
---|
32 | '#type' => 'textfield', |
---|
33 | '#title' => t('Username or e-mail address'), |
---|
34 | '#size' => 60, |
---|
35 | '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH), |
---|
36 | '#required' => TRUE, |
---|
37 | ); |
---|
38 | $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password')); |
---|
39 | |
---|
40 | return $form; |
---|
41 | } |
---|
42 | |
---|
43 | function user_pass_validate($form, &$form_state) { |
---|
44 | $name = trim($form_state['values']['name']); |
---|
45 | |
---|
46 | |
---|
47 | // Try to load by email. |
---|
48 | $account = user_load(array('mail' => $name, 'status' => 1)); |
---|
49 | if (!$account) { |
---|
50 | // No success, try to load by name. |
---|
51 | $account = user_load(array('name' => $name, 'status' => 1)); |
---|
52 | } |
---|
53 | if ($account) { |
---|
54 | // Blocked accounts cannot request a new password, |
---|
55 | // check provided username and email against access rules. |
---|
56 | if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) { |
---|
57 | form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name))); |
---|
58 | } |
---|
59 | } |
---|
60 | if (isset($account->uid)) { |
---|
61 | form_set_value(array('#parents' => array('account')), $account, $form_state); |
---|
62 | } |
---|
63 | else { |
---|
64 | form_set_error('name', t('Sorry, %name is not recognized as a user name or an e-mail address.', array('%name' => $name))); |
---|
65 | } |
---|
66 | } |
---|
67 | |
---|
68 | function user_pass_submit($form, &$form_state) { |
---|
69 | global $language; |
---|
70 | |
---|
71 | $account = $form_state['values']['account']; |
---|
72 | // Mail one time login URL and instructions using current language. |
---|
73 | _user_mail_notify('password_reset', $account, $language); |
---|
74 | watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail)); |
---|
75 | drupal_set_message(t('Further instructions have been sent to your e-mail address.')); |
---|
76 | |
---|
77 | $form_state['redirect'] = 'user'; |
---|
78 | return; |
---|
79 | } |
---|
80 | |
---|
81 | /** |
---|
82 | * Menu callback; process one time login link and redirects to the user page on success. |
---|
83 | */ |
---|
84 | function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = NULL) { |
---|
85 | global $user; |
---|
86 | |
---|
87 | // Check if the user is already logged in. The back button is often the culprit here. |
---|
88 | if ($user->uid) { |
---|
89 | drupal_set_message(t('You have already used this one-time login link. It is not necessary to use this link to login anymore. You are already logged in.')); |
---|
90 | drupal_goto(); |
---|
91 | } |
---|
92 | else { |
---|
93 | // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds. |
---|
94 | $timeout = 86400; |
---|
95 | $current = time(); |
---|
96 | // Some redundant checks for extra security ? |
---|
97 | if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) { |
---|
98 | // Deny one-time login to blocked accounts. |
---|
99 | if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) { |
---|
100 | drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error'); |
---|
101 | drupal_goto(); |
---|
102 | } |
---|
103 | |
---|
104 | // No time out for first time login. |
---|
105 | if ($account->login && $current - $timestamp > $timeout) { |
---|
106 | drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.')); |
---|
107 | drupal_goto('user/password'); |
---|
108 | } |
---|
109 | else if ($account->uid && $timestamp > $account->login && $timestamp < $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login, $account->uid)) { |
---|
110 | // First stage is a confirmation form, then login |
---|
111 | if ($action == 'login') { |
---|
112 | watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); |
---|
113 | // Set the new user. |
---|
114 | $user = $account; |
---|
115 | // user_authenticate_finalize() also updates the login timestamp of the |
---|
116 | // user, which invalidates further use of the one-time login link. |
---|
117 | user_authenticate_finalize($form_state['values']); |
---|
118 | drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); |
---|
119 | drupal_goto('user/'. $user->uid .'/edit'); |
---|
120 | } |
---|
121 | else { |
---|
122 | $form['message'] = array('#value' => t('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to login to the site and change your password.</p>', array('%user_name' => $account->name, '%expiration_date' => format_date($timestamp + $timeout)))); |
---|
123 | $form['help'] = array('#value' => '<p>'. t('This login can be used only once.') .'</p>'); |
---|
124 | $form['submit'] = array('#type' => 'submit', '#value' => t('Log in')); |
---|
125 | $form['#action'] = url("user/reset/$uid/$timestamp/$hashed_pass/login"); |
---|
126 | return $form; |
---|
127 | } |
---|
128 | } |
---|
129 | else { |
---|
130 | drupal_set_message(t('You have tried to use a one-time login link which has either been used or is no longer valid. Please request a new one using the form below.')); |
---|
131 | drupal_goto('user/password'); |
---|
132 | } |
---|
133 | } |
---|
134 | else { |
---|
135 | // Deny access, no more clues. |
---|
136 | // Everything will be in the watchdog's URL for the administrator to check. |
---|
137 | drupal_access_denied(); |
---|
138 | } |
---|
139 | } |
---|
140 | } |
---|
141 | |
---|
142 | /** |
---|
143 | * Menu callback; logs the current user out, and redirects to the home page. |
---|
144 | */ |
---|
145 | function user_logout() { |
---|
146 | global $user; |
---|
147 | |
---|
148 | watchdog('user', 'Session closed for %name.', array('%name' => $user->name)); |
---|
149 | |
---|
150 | // Destroy the current session: |
---|
151 | session_destroy(); |
---|
152 | // Only variables can be passed by reference workaround. |
---|
153 | $null = NULL; |
---|
154 | user_module_invoke('logout', $null, $user); |
---|
155 | |
---|
156 | // Load the anonymous user |
---|
157 | $user = drupal_anonymous_user(); |
---|
158 | |
---|
159 | drupal_goto(); |
---|
160 | } |
---|
161 | |
---|
162 | /** |
---|
163 | * Menu callback; Displays a user or user profile page. |
---|
164 | */ |
---|
165 | function user_view($account) { |
---|
166 | drupal_set_title(check_plain($account->name)); |
---|
167 | // Retrieve all profile fields and attach to $account->content. |
---|
168 | user_build_content($account); |
---|
169 | |
---|
170 | // To theme user profiles, copy modules/user/user_profile.tpl.php |
---|
171 | // to your theme directory, and edit it as instructed in that file's comments. |
---|
172 | return theme('user_profile', $account); |
---|
173 | } |
---|
174 | |
---|
175 | /** |
---|
176 | * Process variables for user-profile.tpl.php. |
---|
177 | * |
---|
178 | * The $variables array contains the following arguments: |
---|
179 | * - $account |
---|
180 | * |
---|
181 | * @see user-picture.tpl.php |
---|
182 | */ |
---|
183 | function template_preprocess_user_profile(&$variables) { |
---|
184 | $variables['profile'] = array(); |
---|
185 | // Sort sections by weight |
---|
186 | uasort($variables['account']->content, 'element_sort'); |
---|
187 | // Provide keyed variables so themers can print each section independantly. |
---|
188 | foreach (element_children($variables['account']->content) as $key) { |
---|
189 | $variables['profile'][$key] = drupal_render($variables['account']->content[$key]); |
---|
190 | } |
---|
191 | // Collect all profiles to make it easier to print all items at once. |
---|
192 | $variables['user_profile'] = implode($variables['profile']); |
---|
193 | } |
---|
194 | |
---|
195 | /** |
---|
196 | * Process variables for user-profile-item.tpl.php. |
---|
197 | * |
---|
198 | * The $variables array contains the following arguments: |
---|
199 | * - $element |
---|
200 | * |
---|
201 | * @see user-profile-item.tpl.php |
---|
202 | */ |
---|
203 | function template_preprocess_user_profile_item(&$variables) { |
---|
204 | $variables['title'] = $variables['element']['#title']; |
---|
205 | $variables['value'] = $variables['element']['#value']; |
---|
206 | $variables['attributes'] = ''; |
---|
207 | if (isset($variables['element']['#attributes'])) { |
---|
208 | $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); |
---|
209 | } |
---|
210 | } |
---|
211 | |
---|
212 | /** |
---|
213 | * Process variables for user-profile-category.tpl.php. |
---|
214 | * |
---|
215 | * The $variables array contains the following arguments: |
---|
216 | * - $element |
---|
217 | * |
---|
218 | * @see user-profile-category.tpl.php |
---|
219 | */ |
---|
220 | function template_preprocess_user_profile_category(&$variables) { |
---|
221 | $variables['title'] = check_plain($variables['element']['#title']); |
---|
222 | $variables['profile_items'] = $variables['element']['#children']; |
---|
223 | $variables['attributes'] = ''; |
---|
224 | if (isset($variables['element']['#attributes'])) { |
---|
225 | $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); |
---|
226 | } |
---|
227 | } |
---|
228 | |
---|
229 | /** |
---|
230 | * Form builder; Present the form to edit a given user or profile category. |
---|
231 | * |
---|
232 | * @ingroup forms |
---|
233 | * @see user_edit_validate() |
---|
234 | * @see user_edit_submit() |
---|
235 | */ |
---|
236 | function user_edit($account, $category = 'account') { |
---|
237 | drupal_set_title(check_plain($account->name)); |
---|
238 | return drupal_get_form('user_profile_form', $account, $category); |
---|
239 | } |
---|
240 | |
---|
241 | /** |
---|
242 | * Form builder; edit a user account or one of their profile categories. |
---|
243 | * |
---|
244 | * @ingroup forms |
---|
245 | * @see user_profile_form_validate() |
---|
246 | * @see user_profile_form_submit() |
---|
247 | * @see user_edit_delete_submit() |
---|
248 | */ |
---|
249 | function user_profile_form($form_state, $account, $category = 'account') { |
---|
250 | |
---|
251 | $edit = (empty($form_state['values'])) ? (array)$account : $form_state['values']; |
---|
252 | |
---|
253 | $form = _user_forms($edit, $account, $category); |
---|
254 | $form['_category'] = array('#type' => 'value', '#value' => $category); |
---|
255 | $form['_account'] = array('#type' => 'value', '#value' => $account); |
---|
256 | $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30); |
---|
257 | if (user_access('administer users')) { |
---|
258 | $form['delete'] = array( |
---|
259 | '#type' => 'submit', |
---|
260 | '#value' => t('Delete'), |
---|
261 | '#weight' => 31, |
---|
262 | '#submit' => array('user_edit_delete_submit'), |
---|
263 | ); |
---|
264 | } |
---|
265 | $form['#attributes']['enctype'] = 'multipart/form-data'; |
---|
266 | |
---|
267 | return $form; |
---|
268 | } |
---|
269 | |
---|
270 | /** |
---|
271 | * Validation function for the user account and profile editing form. |
---|
272 | */ |
---|
273 | function user_profile_form_validate($form, &$form_state) { |
---|
274 | user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); |
---|
275 | // Validate input to ensure that non-privileged users can't alter protected data. |
---|
276 | if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { |
---|
277 | watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); |
---|
278 | // set this to a value type field |
---|
279 | form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); |
---|
280 | } |
---|
281 | } |
---|
282 | |
---|
283 | /** |
---|
284 | * Submit function for the user account and profile editing form. |
---|
285 | */ |
---|
286 | function user_profile_form_submit($form, &$form_state) { |
---|
287 | $account = $form_state['values']['_account']; |
---|
288 | $category = $form_state['values']['_category']; |
---|
289 | unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); |
---|
290 | user_module_invoke('submit', $form_state['values'], $account, $category); |
---|
291 | user_save($account, $form_state['values'], $category); |
---|
292 | |
---|
293 | // Clear the page cache because pages can contain usernames and/or profile information: |
---|
294 | cache_clear_all(); |
---|
295 | |
---|
296 | drupal_set_message(t('The changes have been saved.')); |
---|
297 | return; |
---|
298 | } |
---|
299 | |
---|
300 | /** |
---|
301 | * Submit function for the 'Delete' button on the user edit form. |
---|
302 | */ |
---|
303 | function user_edit_delete_submit($form, &$form_state) { |
---|
304 | $destination = ''; |
---|
305 | if (isset($_REQUEST['destination'])) { |
---|
306 | $destination = drupal_get_destination(); |
---|
307 | unset($_REQUEST['destination']); |
---|
308 | } |
---|
309 | // Note: We redirect from user/uid/edit to user/uid/delete to make the tabs disappear. |
---|
310 | $form_state['redirect'] = array("user/". $form_state['values']['_account']->uid ."/delete", $destination); |
---|
311 | } |
---|
312 | |
---|
313 | /** |
---|
314 | * Form builder; confirm form for user deletion. |
---|
315 | * |
---|
316 | * @ingroup forms |
---|
317 | * @see user_confirm_delete_submit() |
---|
318 | */ |
---|
319 | function user_confirm_delete(&$form_state, $account) { |
---|
320 | |
---|
321 | $form['_account'] = array('#type' => 'value', '#value' => $account); |
---|
322 | |
---|
323 | return confirm_form($form, |
---|
324 | t('Are you sure you want to delete the account %name?', array('%name' => $account->name)), |
---|
325 | 'user/'. $account->uid, |
---|
326 | t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'), |
---|
327 | t('Delete'), t('Cancel')); |
---|
328 | } |
---|
329 | |
---|
330 | /** |
---|
331 | * Submit function for the confirm form for user deletion. |
---|
332 | */ |
---|
333 | function user_confirm_delete_submit($form, &$form_state) { |
---|
334 | user_delete($form_state['values'], $form_state['values']['_account']->uid); |
---|
335 | drupal_set_message(t('%name has been deleted.', array('%name' => $form_state['values']['_account']->name))); |
---|
336 | |
---|
337 | if (!isset($_REQUEST['destination'])) { |
---|
338 | $form_state['redirect'] = 'admin/user/user'; |
---|
339 | } |
---|
340 | } |
---|
341 | |
---|
342 | function user_edit_validate($form, &$form_state) { |
---|
343 | user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); |
---|
344 | // Validate input to ensure that non-privileged users can't alter protected data. |
---|
345 | if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { |
---|
346 | watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); |
---|
347 | // set this to a value type field |
---|
348 | form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); |
---|
349 | } |
---|
350 | } |
---|
351 | |
---|
352 | function user_edit_submit($form, &$form_state) { |
---|
353 | $account = $form_state['values']['_account']; |
---|
354 | $category = $form_state['values']['_category']; |
---|
355 | unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); |
---|
356 | user_module_invoke('submit', $form_state['values'], $account, $category); |
---|
357 | user_save($account, $form_state['values'], $category); |
---|
358 | |
---|
359 | // Clear the page cache because pages can contain usernames and/or profile information: |
---|
360 | cache_clear_all(); |
---|
361 | |
---|
362 | drupal_set_message(t('The changes have been saved.')); |
---|
363 | return; |
---|
364 | } |
---|
365 | |
---|
366 | /** |
---|
367 | * Access callback for path /user. |
---|
368 | * |
---|
369 | * Displays user profile if user is logged in, or login form for anonymous |
---|
370 | * users. |
---|
371 | */ |
---|
372 | function user_page() { |
---|
373 | global $user; |
---|
374 | if ($user->uid) { |
---|
375 | menu_set_active_item('user/'. $user->uid); |
---|
376 | return menu_execute_active_handler(); |
---|
377 | } |
---|
378 | else { |
---|
379 | return drupal_get_form('user_login'); |
---|
380 | } |
---|
381 | } |
---|