uid == $GLOBALS['user']->uid || variable_get('password_change_all', 0)) { if (password_change_is_reset()) { // Make the normal password field required if the password was just // reset. $form['account']['pass']['#required'] = TRUE; } else { // Add the current password field just below the 'Save' button. $form['pass_current'] = array( '#type' => 'password', '#title' => t('Your current password'), '#description' => t('For security reasons, enter your current password to confirm your changes.'), '#size' => 25, '#weight' => $form['submit']['#weight'] - 0.5, '#required' => TRUE, '#element_validate' => array('password_change_validate_password'), ); } // Put the submit handler first so we can clear the values before they // could be saved into $user->data. array_unshift($form['#submit'], 'password_change_form_submit_clear_reset'); } } //unset($form['locale']); //unset($form['theme_select']); //unset($form['picture']); //unset($form['contact']); //unset($form['timezone']); } // based on _phpass_user_authenticate (phpass.module) and _password_load_user, password_user (password.module) function password_change_validate_password($element, $form_state) { // map variables $curpass = $element['#value']; $account = user_load(array('name' => $GLOBALS['user']->name, 'status' => 1)); // validate with password module method if (module_exists('password')) { echo 'password method' . '
'; // Load in the new password hashes from password table (password) $account->password = db_result(db_query("SELECT pass FROM {password} WHERE uid = %d", $account->uid)); // proceed if new hash is not empty if (!empty($account->password)) { // Switch in the new hash into the $account->pass value. $old_pass = $account->pass; $account->pass = $account->password; // Allow alternate password hashing schemes (password.module) _password_include(); // compare hashes through function user_check_password (password.inc) $check = user_check_password($curpass, $account); if ($check != 1) { // mismatch password hashes returns error form_error($element, t('Incorrect current password.')); } // Switch $account->pass back to the MD5 hash. $account->pass = $old_pass; } // validate with phpass module method (phpass hash method set as 'phpass') } elseif (module_exists('phpass') && variable_get('user_hash_method', 'phpass') == 'phpass') { echo 'phpass method' . '
'; // Load in the new password hashes from phpass table (user_phpass) $account->hash = db_result(db_query("SELECT hash FROM {user_phpass} WHERE uid = %d", $account->uid)); // proceed if new hash is not empty and old hash matches 'phpass' if (!empty($account->hash) && ($account->pass == 'phpass')) { // check if PasswordHash.php is missing (phpass.module) _phpass_is_passwordhash_php_missing(); // Allow alternate password hashing schemes (PasswordHash.php) require_once(drupal_get_path('module', 'phpass') .'/PasswordHash.php'); // compare hashes through function CheckPassword (PasswordHash.php) $phpass = new PasswordHash(variable_get('user_hash_strength', 8), variable_get('user_hash_portable', TRUE)); $check = $phpass->CheckPassword($curpass, $account->hash); if ($check != 1) { // mismatch password hashes returns error form_error($element, t('Incorrect current password.')); } // else proceed if old has does not match 'phpass' (md5 method) } elseif ($account->pass != 'phpass') { // compare hashes through function md5 if ($account->pass !== md5($curpass)) { // mismatch password hashes returns error form_error($element, t('Incorrect current password.')); } } // validate with the old md5 method } else { // compare hashes through function md5 if ($account->pass !== md5($curpass)) { // mismatch password hashes returns error form_error($element, t('Incorrect current password.')); } } } //function password_change_user_profile_form_validate($form, &$form_state) { // if (md5($form_state['values']['pass_current']) !== $GLOBALS['user']->pass) { // form_set_error('pass_current', 'Incorrect current password.'); // } //} /** * Submit handler; reset the reset flag and unset the currnet password value. */ function password_change_form_submit_clear_reset($form, &$form_state) { password_change_is_reset(FALSE); unset($form_state['values']['pass_current']); } /** * Implements hook_form_FORM_ID_alter(). */ function password_change_form_user_admin_settings_alter(&$form, $form_state) { $form += array( 'security' => array( '#type' => 'fieldset', '#title' => t('Security'), ), ); $form['security']['password_change_all'] = array( '#type' => 'checkbox', '#title' => t("Require the current user to confirm his or her current password when changing any user's account."), '#description' => t('Users will still be required to confirm their password when changing their own account regardless of this setting.'), '#default_value' => variable_get('password_change_all', FALSE), ); }