Elgg  Version 1.11
PasswordService.php
Go to the documentation of this file.
1 <?php
2 namespace Elgg;
3 
11 final class PasswordService {
12 
16  public function __construct() {
17  if (!function_exists('password_hash')) {
18  throw new \RuntimeException("password_hash and associated functions are required.");
19  }
20  }
21 
31  function needsRehash($hash) {
32  return password_needs_rehash($hash, PASSWORD_DEFAULT);
33  }
34 
43  function verify($password, $hash) {
44  return password_verify($password, $hash);
45  }
46 
54  function generateHash($password) {
55  return password_hash($password, PASSWORD_DEFAULT);
56  }
57 
67  return md5($password . $user->salt);
68  }
69 
78  $user_guid = (int)$user_guid;
79 
80  $user = _elgg_services()->entityTable->get($user_guid);
81  if (!$user instanceof \ElggUser) {
82  return false;
83  }
84 
85  // generate code
87  $user->setPrivateSetting('passwd_conf_code', $code);
88  $user->setPrivateSetting('passwd_conf_time', time());
89 
90  // generate link
91  $link = _elgg_services()->config->getSiteUrl() . "changepassword?u=$user_guid&c=$code";
92 
93  // generate email
94  $ip_address = _elgg_services()->request->getClientIp();
95  $message = _elgg_services()->translator->translate(
96  'email:changereq:body', array($user->name, $ip_address, $link), $user->language);
97  $subject = _elgg_services()->translator->translate(
98  'email:changereq:subject', array(), $user->language);
99 
100  return notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, array(), 'email');
101  }
102 
114  if (!$user instanceof \ElggUser) {
115  $user = _elgg_services()->entityTable->get($user, 'user');
116  if (!$user) {
117  return false;
118  }
119  }
120 
121  $user->setPassword($password);
122 
123  $ia = elgg_set_ignore_access(true);
124  $result = (bool)$user->save();
126 
127  return $result;
128  }
129 
139  function executeNewPasswordReset($user_guid, $conf_code, $password = null) {
140  $user_guid = (int)$user_guid;
142 
143  if ($password === null) {
145  $reset = true;
146  } else {
147  $reset = false;
148  }
149 
150  if (!$user instanceof \ElggUser) {
151  return false;
152  }
153 
154  $saved_code = $user->getPrivateSetting('passwd_conf_code');
155  $code_time = (int) $user->getPrivateSetting('passwd_conf_time');
156  $codes_match = _elgg_services()->crypto->areEqual($saved_code, $conf_code);
157 
158  if (!$saved_code || !$codes_match) {
159  return false;
160  }
161 
162  // Discard for security if it is 24h old
163  if (!$code_time || $code_time < time() - 24 * 60 * 60) {
164  return false;
165  }
166 
167  if (!$this->forcePasswordReset($user, $password)) {
168  return false;
169  }
170 
171  remove_private_setting($user_guid, 'passwd_conf_code');
172  remove_private_setting($user_guid, 'passwd_conf_time');
173  // clean the logins failures
175 
176  $ns = $reset ? 'resetpassword' : 'changepassword';
177 
178  $message = _elgg_services()->translator->translate(
179  "email:$ns:body", array($user->username, $password), $user->language);
180  $subject = _elgg_services()->translator->translate("email:$ns:subject", array(), $user->language);
181 
182  notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, array(), 'email');
183 
184  return true;
185  }
186 }
verify($password, $hash)
Verify a password against a hash using a timing attack resistant approach.
elgg_get_site_entity($site_guid=0)
Get an entity (default is current site)
Definition: sites.php:18
$subject
Definition: exceptions.php:25
$ia
Definition: upgrade.php:26
__construct()
Constructor.
reset_login_failure_count($user_guid)
Resets the fail login count for $user_guid.
Definition: sessions.php:232
executeNewPasswordReset($user_guid, $conf_code, $password=null)
Validate and change password for a user.
Save menu items.
remove_private_setting($entity_guid, $name)
Deletes a private setting for an entity.
elgg_set_ignore_access($ignore=true)
Set if Elgg&#39;s access system should be ignored.
Definition: access.php:43
_elgg_services()
Definition: autoloader.php:14
$user
Definition: ban.php:13
generateLegacyHash(\ElggUser $user, $password)
Hash a password for storage.
needsRehash($hash)
Determine if the password hash needs to be rehashed.
$reset
$password
Definition: login.php:25
notify_user($to, $from, $subject, $message, array $params=array(), $methods_override="")
Notify a user via their preferences.
generate_random_cleartext_password()
Generate a random 12 character clear text password.
Definition: users.php:189
$user_guid
Avatar remove action.
Definition: remove.php:6
generateHash($password)
Hash a password for storage using password_hash()
forcePasswordReset($user, $password)
Set a user&#39;s new password and save the entity.
sendNewPasswordRequest($user_guid)
Generate and send a password request email to a given user&#39;s registered email address.
get_entity($guid)
Loads and returns an entity object from a guid.
Definition: entities.php:382