Elgg  Version 2.3
PasswordService.php
Go to the documentation of this file.
1 <?php
2 namespace Elgg;
3 
11 final class PasswordService {
12 
16  public function __construct() {
17  if (!function_exists('password_hash')) {
18  throw new \RuntimeException("password_hash and associated functions are required.");
19  }
20  }
21 
31  function needsRehash($hash) {
32  return password_needs_rehash($hash, PASSWORD_DEFAULT);
33  }
34 
43  function verify($password, $hash) {
44  return password_verify($password, $hash);
45  }
46 
54  function generateHash($password) {
55  return password_hash($password, PASSWORD_DEFAULT);
56  }
57 
67  return md5($password . $user->salt);
68  }
69 
78  $user_guid = (int)$user_guid;
79 
80  $user = _elgg_services()->entityTable->get($user_guid);
81  if (!$user instanceof \ElggUser) {
82  return false;
83  }
84 
85  // generate code
87  $user->setPrivateSetting('passwd_conf_code', $code);
88  $user->setPrivateSetting('passwd_conf_time', time());
89 
90  // generate link
91  $link = _elgg_services()->config->getSiteUrl() . "changepassword?u=$user_guid&c=$code";
92  $link = _elgg_services()->urlSigner->sign($link, '+1 day');
93 
94  // generate email
95  $ip_address = _elgg_services()->request->getClientIp();
96  $message = _elgg_services()->translator->translate(
97  'email:changereq:body', array($user->name, $ip_address, $link), $user->language);
98  $subject = _elgg_services()->translator->translate(
99  'email:changereq:subject', array(), $user->language);
100 
101  $params = [
102  'action' => 'requestnewpassword',
103  'object' => $user,
104  'ip_address' => $ip_address,
105  'link' => $link,
106  ];
107 
108  return notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');
109  }
110 
122  if (!$user instanceof \ElggUser) {
123  $user = _elgg_services()->entityTable->get($user, 'user');
124  if (!$user) {
125  return false;
126  }
127  }
128 
129  $user->setPassword($password);
130 
131  $ia = elgg_set_ignore_access(true);
132  $result = (bool)$user->save();
134 
135  return $result;
136  }
137 
147  function executeNewPasswordReset($user_guid, $conf_code, $password = null) {
148  $user_guid = (int)$user_guid;
150 
151  if ($password === null) {
153  $reset = true;
154  } else {
155  $reset = false;
156  }
157 
158  if (!$user instanceof \ElggUser) {
159  return false;
160  }
161 
162  $saved_code = $user->getPrivateSetting('passwd_conf_code');
163  $code_time = (int) $user->getPrivateSetting('passwd_conf_time');
164  $codes_match = _elgg_services()->crypto->areEqual($saved_code, $conf_code);
165 
166  if (!$saved_code || !$codes_match) {
167  return false;
168  }
169 
170  // Discard for security if it is 24h old
171  if (!$code_time || $code_time < time() - 24 * 60 * 60) {
172  return false;
173  }
174 
175  if (!$this->forcePasswordReset($user, $password)) {
176  return false;
177  }
178 
179  remove_private_setting($user_guid, 'passwd_conf_code');
180  remove_private_setting($user_guid, 'passwd_conf_time');
181  // clean the logins failures
183 
184  $ns = $reset ? 'resetpassword' : 'changepassword';
185 
186  $message = _elgg_services()->translator->translate(
187  "email:$ns:body", array($user->username, $password), $user->language);
188  $subject = _elgg_services()->translator->translate("email:$ns:subject", array(), $user->language);
189 
190  $params = [
191  'action' => $ns,
192  'object' => $user,
193  'password' => $password,
194  ];
195 
196  notify_user($user->guid, elgg_get_site_entity()->guid, $subject, $message, $params, 'email');
197 
198  return true;
199  }
200 }
verify($password, $hash)
Verify a password against a hash using a timing attack resistant approach.
elgg_get_site_entity($site_guid=0)
Get an entity (default is current site)
Definition: sites.php:18
$subject
Definition: exceptions.php:25
__construct()
Constructor.
reset_login_failure_count($user_guid)
Resets the fail login count for $user_guid.
Definition: sessions.php:232
$link
Definition: container.php:14
executeNewPasswordReset($user_guid, $conf_code, $password=null)
Validate and change password for a user.
$params
Definition: login.php:72
Save menu items.
remove_private_setting($entity_guid, $name)
Deletes a private setting for an entity.
elgg_set_ignore_access($ignore=true)
Set if Elgg&#39;s access system should be ignored.
Definition: access.php:43
$user
Definition: ban.php:13
notify_user($to, $from=0, $subject= '', $message= '', array $params=array(), $methods_override=null)
Notify a user via their preferences.
generateLegacyHash(\ElggUser $user, $password)
Hash a password for storage.
needsRehash($hash)
Determine if the password hash needs to be rehashed.
$reset
_elgg_services(\Elgg\Di\ServiceProvider $services=null)
Get the global service provider.
Definition: autoloader.php:17
$password
Definition: login.php:25
elgg subtext time
generate_random_cleartext_password()
Generate a random 12 character clear text password.
Definition: users.php:189
$user_guid
Avatar remove action.
Definition: remove.php:6
generateHash($password)
Hash a password for storage using password_hash()
forcePasswordReset($user, $password)
Set a user&#39;s new password and save the entity.
sendNewPasswordRequest($user_guid)
Generate and send a password request email to a given user&#39;s registered email address.
get_entity($guid)
Loads and returns an entity object from a guid.
Definition: entities.php:204