webmaster@1: name] = check_plain($user->name); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: drupal_json($matches); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Form builder; Request a password reset. webmaster@1: * webmaster@1: * @ingroup forms webmaster@1: * @see user_pass_validate() webmaster@1: * @see user_pass_submit() webmaster@1: */ webmaster@1: function user_pass() { webmaster@1: $form['name'] = array( webmaster@1: '#type' => 'textfield', webmaster@1: '#title' => t('Username or e-mail address'), webmaster@1: '#size' => 60, webmaster@1: '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH), webmaster@1: '#required' => TRUE, webmaster@1: ); webmaster@1: $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password')); webmaster@1: webmaster@1: return $form; webmaster@1: } webmaster@1: webmaster@1: function user_pass_validate($form, &$form_state) { webmaster@1: $name = trim($form_state['values']['name']); webmaster@1: // Try to load by email. webmaster@1: $account = user_load(array('mail' => $name, 'status' => 1)); webmaster@1: if (!$account) { webmaster@1: // No success, try to load by name. webmaster@1: $account = user_load(array('name' => $name, 'status' => 1)); webmaster@1: } webmaster@1: if (isset($account->uid)) { webmaster@1: form_set_value(array('#parents' => array('account')), $account, $form_state); webmaster@1: } webmaster@1: else { webmaster@1: form_set_error('name', t('Sorry, %name is not recognized as a user name or an e-mail address.', array('%name' => $name))); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: function user_pass_submit($form, &$form_state) { webmaster@1: global $language; webmaster@1: webmaster@1: $account = $form_state['values']['account']; webmaster@1: // Mail one time login URL and instructions using current language. webmaster@1: _user_mail_notify('password_reset', $account, $language); webmaster@1: watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail)); webmaster@1: drupal_set_message(t('Further instructions have been sent to your e-mail address.')); webmaster@1: webmaster@1: $form_state['redirect'] = 'user'; webmaster@1: return; webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Menu callback; process one time login link and redirects to the user page on success. webmaster@1: */ webmaster@1: function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = NULL) { webmaster@1: global $user; webmaster@1: webmaster@1: // Check if the user is already logged in. The back button is often the culprit here. webmaster@1: if ($user->uid) { webmaster@1: drupal_set_message(t('You have already used this one-time login link. It is not necessary to use this link to login anymore. You are already logged in.')); webmaster@1: drupal_goto(); webmaster@1: } webmaster@1: else { webmaster@1: // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds. webmaster@1: $timeout = 86400; webmaster@1: $current = time(); webmaster@1: // Some redundant checks for extra security ? webmaster@1: if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) { webmaster@1: // No time out for first time login. webmaster@1: if ($account->login && $current - $timestamp > $timeout) { webmaster@1: drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.')); webmaster@1: drupal_goto('user/password'); webmaster@1: } webmaster@1: else if ($account->uid && $timestamp > $account->login && $timestamp < $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) { webmaster@1: // First stage is a confirmation form, then login webmaster@1: if ($action == 'login') { webmaster@1: watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); webmaster@1: // Set the new user. webmaster@1: $user = $account; webmaster@1: // user_authenticate_finalize() also updates the login timestamp of the webmaster@1: // user, which invalidates further use of the one-time login link. webmaster@1: user_authenticate_finalize($form_state['values']); webmaster@1: drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.')); webmaster@1: drupal_goto('user/'. $user->uid .'/edit'); webmaster@1: } webmaster@1: else { webmaster@1: $form['message'] = array('#value' => t('

This is a one-time login for %user_name and will expire on %expiration_date.

Click on this button to login to the site and change your password.

', array('%user_name' => $account->name, '%expiration_date' => format_date($timestamp + $timeout)))); webmaster@1: $form['help'] = array('#value' => '

'. t('This login can be used only once.') .'

'); webmaster@1: $form['submit'] = array('#type' => 'submit', '#value' => t('Log in')); webmaster@1: $form['#action'] = url("user/reset/$uid/$timestamp/$hashed_pass/login"); webmaster@1: return $form; webmaster@1: } webmaster@1: } webmaster@1: else { webmaster@1: drupal_set_message(t('You have tried to use a one-time login link which has either been used or is no longer valid. Please request a new one using the form below.')); webmaster@1: drupal_goto('user/password'); webmaster@1: } webmaster@1: } webmaster@1: else { webmaster@1: // Deny access, no more clues. webmaster@1: // Everything will be in the watchdog's URL for the administrator to check. webmaster@1: drupal_access_denied(); webmaster@1: } webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Menu callback; logs the current user out, and redirects to the home page. webmaster@1: */ webmaster@1: function user_logout() { webmaster@1: global $user; webmaster@1: webmaster@1: watchdog('user', 'Session closed for %name.', array('%name' => $user->name)); webmaster@1: webmaster@1: // Destroy the current session: webmaster@1: session_destroy(); webmaster@1: module_invoke_all('user', 'logout', NULL, $user); webmaster@1: webmaster@1: // Load the anonymous user webmaster@1: $user = drupal_anonymous_user(); webmaster@1: webmaster@1: drupal_goto(); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Menu callback; Displays a user or user profile page. webmaster@1: */ webmaster@1: function user_view($account) { webmaster@1: drupal_set_title(check_plain($account->name)); webmaster@1: // Retrieve all profile fields and attach to $account->content. webmaster@1: user_build_content($account); webmaster@1: webmaster@1: // To theme user profiles, copy modules/user/user_profile.tpl.php webmaster@1: // to your theme directory, and edit it as instructed in that file's comments. webmaster@1: return theme('user_profile', $account); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Process variables for user-profile.tpl.php. webmaster@1: * webmaster@1: * The $variables array contains the following arguments: webmaster@1: * - $account webmaster@1: * webmaster@1: * @see user-picture.tpl.php webmaster@1: */ webmaster@1: function template_preprocess_user_profile(&$variables) { webmaster@1: $variables['profile'] = array(); webmaster@1: // Sort sections by weight webmaster@1: uasort($variables['account']->content, 'element_sort'); webmaster@1: // Provide keyed variables so themers can print each section independantly. webmaster@1: foreach (element_children($variables['account']->content) as $key) { webmaster@1: $variables['profile'][$key] = drupal_render($variables['account']->content[$key]); webmaster@1: } webmaster@1: // Collect all profiles to make it easier to print all items at once. webmaster@1: $variables['user_profile'] = implode($variables['profile']); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Process variables for user-profile-item.tpl.php. webmaster@1: * webmaster@1: * The $variables array contains the following arguments: webmaster@1: * - $element webmaster@1: * webmaster@1: * @see user-profile-item.tpl.php webmaster@1: */ webmaster@1: function template_preprocess_user_profile_item(&$variables) { webmaster@1: $variables['title'] = $variables['element']['#title']; webmaster@1: $variables['value'] = $variables['element']['#value']; webmaster@1: $variables['attributes'] = ''; webmaster@1: if (isset($variables['element']['#attributes'])) { webmaster@1: $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Process variables for user-profile-category.tpl.php. webmaster@1: * webmaster@1: * The $variables array contains the following arguments: webmaster@1: * - $element webmaster@1: * webmaster@1: * @see user-profile-category.tpl.php webmaster@1: */ webmaster@1: function template_preprocess_user_profile_category(&$variables) { webmaster@1: $variables['title'] = check_plain($variables['element']['#title']); webmaster@1: $variables['profile_items'] = $variables['element']['#children']; webmaster@1: $variables['attributes'] = ''; webmaster@1: if (isset($variables['element']['#attributes'])) { webmaster@1: $variables['attributes'] = drupal_attributes($variables['element']['#attributes']); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Form builder; Present the form to edit a given user or profile category. webmaster@1: * webmaster@1: * @ingroup forms webmaster@1: * @see user_edit_validate() webmaster@1: * @see user_edit_submit() webmaster@1: */ webmaster@1: function user_edit($account, $category = 'account') { webmaster@1: drupal_set_title(check_plain($account->name)); webmaster@1: return drupal_get_form('user_profile_form', $account, $category); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Form builder; edit a user account or one of their profile categories. webmaster@1: * webmaster@1: * @ingroup forms webmaster@1: * @see user_profile_form_validate() webmaster@1: * @see user_profile_form_submit() webmaster@1: * @see user_edit_delete_submit() webmaster@1: */ webmaster@1: function user_profile_form($form_state, $account, $category = 'account') { webmaster@1: webmaster@1: $edit = (empty($form_state['values'])) ? (array)$account : $form_state['values']; webmaster@1: webmaster@1: $form = _user_forms($edit, $account, $category); webmaster@1: $form['_category'] = array('#type' => 'value', '#value' => $category); webmaster@1: $form['_account'] = array('#type' => 'value', '#value' => $account); webmaster@1: $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30); webmaster@1: if (user_access('administer users')) { webmaster@1: $form['delete'] = array( webmaster@1: '#type' => 'submit', webmaster@1: '#value' => t('Delete'), webmaster@1: '#weight' => 31, webmaster@1: '#submit' => array('user_edit_delete_submit'), webmaster@1: ); webmaster@1: } webmaster@1: $form['#attributes']['enctype'] = 'multipart/form-data'; webmaster@1: webmaster@1: return $form; webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Validation function for the user account and profile editing form. webmaster@1: */ webmaster@1: function user_profile_form_validate($form, &$form_state) { webmaster@1: user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); webmaster@1: // Validate input to ensure that non-privileged users can't alter protected data. webmaster@1: if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { webmaster@1: watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); webmaster@1: // set this to a value type field webmaster@1: form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Submit function for the user account and profile editing form. webmaster@1: */ webmaster@1: function user_profile_form_submit($form, &$form_state) { webmaster@1: $account = $form_state['values']['_account']; webmaster@1: $category = $form_state['values']['_category']; webmaster@1: unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); webmaster@1: user_module_invoke('submit', $form_state['values'], $account, $category); webmaster@1: user_save($account, $form_state['values'], $category); webmaster@1: webmaster@1: // Clear the page cache because pages can contain usernames and/or profile information: webmaster@1: cache_clear_all(); webmaster@1: webmaster@1: drupal_set_message(t('The changes have been saved.')); webmaster@1: return; webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Submit function for the 'Delete' button on the user edit form. webmaster@1: */ webmaster@1: function user_edit_delete_submit($form, &$form_state) { webmaster@1: $destination = ''; webmaster@1: if (isset($_REQUEST['destination'])) { webmaster@1: $destination = drupal_get_destination(); webmaster@1: unset($_REQUEST['destination']); webmaster@1: } webmaster@1: // Note: We redirect from user/uid/edit to user/uid/delete to make the tabs disappear. webmaster@1: $form_state['redirect'] = array("user/". $form_state['values']['_account']->uid ."/delete", $destination); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Form builder; confirm form for user deletion. webmaster@1: * webmaster@1: * @ingroup forms webmaster@1: * @see user_confirm_delete_submit() webmaster@1: */ webmaster@1: function user_confirm_delete(&$form_state, $account) { webmaster@1: webmaster@1: $form['_account'] = array('#type' => 'value', '#value' => $account); webmaster@1: webmaster@1: return confirm_form($form, webmaster@1: t('Are you sure you want to delete the account %name?', array('%name' => $account->name)), webmaster@1: 'user/'. $account->uid, webmaster@1: t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'), webmaster@1: t('Delete'), t('Cancel')); webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Submit function for the confirm form for user deletion. webmaster@1: */ webmaster@1: function user_confirm_delete_submit($form, &$form_state) { webmaster@1: user_delete($form_state['values'], $form_state['values']['_account']->uid); webmaster@1: drupal_set_message(t('%name has been deleted.', array('%name' => $form_state['values']['_account']->name))); webmaster@1: webmaster@1: if (!isset($_REQUEST['destination'])) { webmaster@1: $form_state['redirect'] = 'admin/user/user'; webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: function user_edit_validate($form, &$form_state) { webmaster@1: user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']); webmaster@1: // Validate input to ensure that non-privileged users can't alter protected data. webmaster@1: if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) { webmaster@1: watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING); webmaster@1: // set this to a value type field webmaster@1: form_set_error('category', t('Detected malicious attempt to alter protected user fields.')); webmaster@1: } webmaster@1: } webmaster@1: webmaster@1: function user_edit_submit($form, &$form_state) { webmaster@1: $account = $form_state['values']['_account']; webmaster@1: $category = $form_state['values']['_category']; webmaster@1: unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']); webmaster@1: user_module_invoke('submit', $form_state['values'], $account, $category); webmaster@1: user_save($account, $form_state['values'], $category); webmaster@1: webmaster@1: // Clear the page cache because pages can contain usernames and/or profile information: webmaster@1: cache_clear_all(); webmaster@1: webmaster@1: drupal_set_message(t('The changes have been saved.')); webmaster@1: return; webmaster@1: } webmaster@1: webmaster@1: /** webmaster@1: * Access callback for path /user. webmaster@1: * webmaster@1: * Displays user profile if user is logged in, or login form for anonymous webmaster@1: * users. webmaster@1: */ webmaster@1: function user_page() { webmaster@1: global $user; webmaster@1: if ($user->uid) { webmaster@1: menu_set_active_item('user/'. $user->uid); webmaster@1: return menu_execute_active_handler(); webmaster@1: } webmaster@1: else { webmaster@1: return drupal_get_form('user_login'); webmaster@1: } webmaster@1: }