--- user.module 2005-03-31 07:47:28.000000000 +0200
+++ modules/user.module 2005-03-31 07:51:52.000000000 +0200
@@ -636,6 +636,8 @@ function user_menu($may_cache) {
'callback' => 'user_page', 'access' => $user->uid == 0 && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'user/password', 'title' => t('request new password'),
'callback' => 'user_pass', 'access' => $user->uid == 0, 'type' => MENU_LOCAL_TASK);
+ $items[] = array('path' => 'user/newpassword', 'title' => t('directlogin'),
+ 'callback' => 'user_pass_new', 'access' => $user->uid == 0, 'type' => MENU_CALLBACK);
$items[] = array('path' => 'user/help', 'title' => t('help'),
'callback' => 'user_help_page', 'type' => MENU_CALLBACK);
@@ -909,15 +911,15 @@ function user_pass() {
else if ($edit['mail'] && !($account = user_load(array('mail' => $edit['mail'], 'status' => 1)))) {
form_set_error('mail', t('Sorry. The e-mail address %email is not recognized.', array('%email' => ''. $edit['mail'] .'')));
}
- if ($account) {
+ if ($account && $account->uid > 1) { // Not allowed for admin account
$from = variable_get('site_mail', ini_get('sendmail_from'));
- $pass = user_password();
-
- // Save new password:
- user_save($account, array('pass' => $pass));
+ $timestamp = time();
+ $hashedpass = user_pass_rehash($account->pass, $timestamp, $account->changed);
+ // Generate one time login URL
+ $loginurl = "$base_url/user/newpassword/$account->uid/$timestamp/$hashedpass";
// Mail new password:
- $variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%password' => $pass, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
+ $variables = array('%username' => $account->name, '%site' => variable_get('site_name', 'drupal'), '%login_url' => $loginurl, '%uri' => $base_url, '%uri_brief' => substr($base_url, strlen('http://')), '%mailto' => $account->mail, '%date' => format_date(time()), '%login_uri' => url('user', NULL, NULL, TRUE), '%edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
$subject = _user_mail_text('pass_subject', $variables);
$body = _user_mail_text('pass_body', $variables);
$headers = "From: $from\nReply-to: $from\nX-Mailer: Drupal\nReturn-path: $from\nErrors-to: $from";
@@ -946,6 +948,33 @@ function user_pass() {
}
}
+function user_pass_new($uid, $timestamp, $hashedpass) {
+ global $user;
+ $maxtime = 28800;
+ $account = user_load(array('uid' => $uid, 'status' => 1));
+ $currenttime = time();
+ if(!$user->uid && $uid > 1 && !empty($account) &&
+ $timestamp < $currenttime && $currenttime - $timestamp < $maxtime && $timestamp > $account->changed &&
+ $hashedpass == user_pass_rehash($account->pass, $timestamp, $account->changed)) {
+ watchdog('user', t('One time auto login used for %name with timestamp %timestamp.', array('%name' => "$account->name", '%timestamp' => $timestamp)));
+ // Update the user table timestamp noting user has logged in.
+ // And this also makes this hased password a one-try-only login
+ db_query("UPDATE {users} SET changed = '%d' WHERE uid = %d", time(), $account->uid);
+ // Now we can set the new user
+ $user = $account;
+ // And proceed with normal login, going to user page
+ user_module_invoke('login', $edit, $user);
+ drupal_goto('user/'. $user->uid .'/edit');
+ }
+ // Just deny access, no clues, no nothing
+ // Everything will be in the watchdog's URL for the admin to check
+ drupal_access_denied();
+}
+
+function user_pass_rehash($pass1, $timestamp, $lastlogin){
+ return md5($timestamp.$pass1.$lastlogin);
+}
+
function user_register($edit = array()) {
global $user, $base_url;
@@ -1253,7 +1282,7 @@ function _user_mail_text($messageid, $va
case 'pass_subject':
return t('Replacement login information for %username at %site', $variables);
case 'pass_body':
- return t("%username,\n\nHere is your new password for %site. You may now login to %login_uri using the following username and password:\n\nusername: %username\npassword: %password\n\nAfter logging in, you may wish to change your password at %edit_uri", $variables);
+ return t("%username,\n\nHere is your new login information for %site. You may now login to %login_uri clicking on this link or copying and pasting it in your browser:\n\n%login_url\n\nThis is a one-time login, so it can be used only once. After logging in, you may wish to change your password at %edit_uri", $variables);
}
}
}