head=> body<= {'user'}; my $memoryu = LJ::get_authas_user($authas); return LJ::bad_input($ML{'error.invalidauth'}) unless $memoryu; if ($LJ::USE_SSL && ! $LJ::IS_SSL && $FORM{'ssl'} ne "no") { return BML::redirect("$LJ::SSLROOT/changepassword.bml"); } my $crumb = $LJ::IS_SSL ? 'securechangepass' : 'changepass'; LJ::set_active_crumb($crumb); my $update_form = sub { my $ret; # else, show the form to change: $ret .= "

\n"; $ret .= LJ::html_hidden(mode => 'submit', ssl => $GET{'ssl'}); $ret .= "\n"; $ret .= "\n"; my $remote = LJ::get_remote(); # Warn them if logged in and not validated if (!LJ::did_post() && $remote && $remote->{'status'} ne 'A') { $ret .= "$ML{'label.warning'} $ML{'.error.notvalidated'} warningbar?>"; $ret .= "
"; } $ret .= "\n
\n"; # we make the field for the new password *longer* than the max length # for a password - that way we can tell if someone is trying to use an # excessively long password, instead of silently truncating it. $ret .= "$ML{'.oldpassword'}
\n"; $ret .= "
\n"; $ret .= "$ML{'.newpassword'}
\n"; $ret .= "
\n"; $ret .= "$ML{'.newpasswordagain'}
\n"; $ret .= "
\n"; $ret .= "standout?>\n"; $ret .= "\n"; $ret .= "\n"; $ret .= "\n"; $ret .= "standout?>\n"; $ret .= "

\n"; return $ret; }; unless (LJ::did_post()) { $body .= $update_form->(); } elsif ($POST{'mode'} eq 'submit') { my $user = $authas; #LJ::canonical_username($POST{'user'}); my $password = $POST{'password'}; my $newpass1 = LJ::trim($POST{'newpass1'}); my $newpass2 = LJ::trim($POST{'newpass2'}); my $remote = LJ::get_remote(); my $u = LJ::load_user($user); my @errors = (); if ($user eq "test") { push @errors, $ML{'.error.changetestaccount'}; } unless ($user) { push @errors, $ML{'.error.mustenterusername'}; } else { unless (defined $u) { push @errors, BML::ml('.error.invaliduser', {'user' => $user} ); } else { if (LJ::login_ip_banned($u)) { push @errors, $ML{'error.ipbanned'}; } elsif ($u->{'password'} eq "" || $u->{'password'} ne $password) { push @errors, $ML{'.error.badoldpassword'}; LJ::handle_bad_login($u); } } } if ($newpass1 ne $newpass2) { push @errors, $ML{'.error.badnewpassword'}; } else { if ($newpass1 eq "") { push @errors, $ML{'.error.blankpassword'}; } elsif (length $newpass1 > 30) { push @errors, $ML{'.error.characterlimit'}; } else { my @checkpass = LJ::run_hooks("bad_password", { 'user' => $u->{'user'}, 'password' => $newpass1, 'name' => $u->{'name'}, 'email' => $u->{'email'} }); if (@checkpass && $checkpass[0]->[0]) { push @errors, BML::ml('.error.badcheck', {'error' => $checkpass[0]->[0]}); } } } # don't allow changes if email address is not validated unless ($u->{'status'} eq 'A') { push @errors, $ML{'.error.notvalidated'}; } unless (LJ::is_ascii($newpass1)) { push @errors, $ML{'.error.nonascii'}; } if (@errors) { $body .= LJ::error_list(@errors); $body .= $update_form->(); return $body; } ## make note of changed password my $dbh = LJ::get_db_writer(); my $oldval = Digest::MD5::md5_hex($u->{'password'} . "change"); LJ::infohistory_add($u, 'password', $oldval); LJ::update_user($u, { password => $POST{'newpass1'} }); # Kill all sessions, forcing user to relogin $u->kill_all_sessions; LJ::send_mail({ 'to' => $u->{'email'}, 'from' => $LJ::ADMIN_EMAIL, 'fromname' => $LJ::SITENAME, 'charset' => 'utf-8', 'subject' => $ML{'.email.subject'}, 'body' => BML::ml('.email.body', {'sitename'=>$LJ::SITENAME, 'siteroot'=>$LJ::SITEROOT})}); $body = ""; # if they were logged in, tell them to relogin $body .= " "href='/login.bml'" }) . " p?>" if $remote; LJ::run_hooks("post_changepassword", { "u" => $u, "newpassword" => $POST{'newpass1'}, "oldpassword" => $u->{'password'}, }); } return $body; _code?> <=body page?> post: htdocs/changepassword.bml lib: Digest::MD5 hook: post_changepassword _c?>