uid == $GLOBALS['user']->uid || variable_get('password_change_all', 0)) {
if (password_change_is_reset()) {
// Make the normal password field required if the password was just
// reset.
$form['account']['pass']['#required'] = TRUE;
}
else {
// Add the current password field just below the 'Save' button.
$form['pass_current'] = array(
'#type' => 'password',
'#title' => t('Your current password'),
'#description' => t('For security reasons, enter your current password to confirm your changes.'),
'#size' => 25,
'#weight' => $form['submit']['#weight'] - 0.5,
'#required' => TRUE,
'#element_validate' => array('password_change_validate_password'),
);
}
// Put the submit handler first so we can clear the values before they
// could be saved into $user->data.
array_unshift($form['#submit'], 'password_change_form_submit_clear_reset');
}
}
//unset($form['locale']);
//unset($form['theme_select']);
//unset($form['picture']);
//unset($form['contact']);
//unset($form['timezone']);
}
// based on _phpass_user_authenticate (phpass.module) and _password_load_user, password_user (password.module)
function password_change_validate_password($element, $form_state) {
// map variables
$curpass = $element['#value'];
$account = user_load(array('name' => $GLOBALS['user']->name, 'status' => 1));
// validate with password module method
if (module_exists('password')) {
echo 'password method' . '
';
// Load in the new password hashes from password table (password)
$account->password = db_result(db_query("SELECT pass FROM {password} WHERE uid = %d", $account->uid));
// proceed if new hash is not empty
if (!empty($account->password)) {
// Switch in the new hash into the $account->pass value.
$old_pass = $account->pass;
$account->pass = $account->password;
// Allow alternate password hashing schemes (password.module)
_password_include();
// compare hashes through function user_check_password (password.inc)
$check = user_check_password($curpass, $account);
if ($check != 1) {
// mismatch password hashes returns error
form_error($element, t('Incorrect current password.'));
}
// Switch $account->pass back to the MD5 hash.
$account->pass = $old_pass;
}
// validate with phpass module method (phpass hash method set as 'phpass')
} elseif (module_exists('phpass') && variable_get('user_hash_method', 'phpass') == 'phpass') {
echo 'phpass method' . '
';
// Load in the new password hashes from phpass table (user_phpass)
$account->hash = db_result(db_query("SELECT hash FROM {user_phpass} WHERE uid = %d", $account->uid));
// proceed if new hash is not empty and old hash matches 'phpass'
if (!empty($account->hash) && ($account->pass == 'phpass')) {
// check if PasswordHash.php is missing (phpass.module)
_phpass_is_passwordhash_php_missing();
// Allow alternate password hashing schemes (PasswordHash.php)
require_once(drupal_get_path('module', 'phpass') .'/PasswordHash.php');
// compare hashes through function CheckPassword (PasswordHash.php)
$phpass = new PasswordHash(variable_get('user_hash_strength', 8), variable_get('user_hash_portable', TRUE));
$check = $phpass->CheckPassword($curpass, $account->hash);
if ($check != 1) {
// mismatch password hashes returns error
form_error($element, t('Incorrect current password.'));
}
// else proceed if old has does not match 'phpass' (md5 method)
} elseif ($account->pass != 'phpass') {
// compare hashes through function md5
if ($account->pass !== md5($curpass)) {
// mismatch password hashes returns error
form_error($element, t('Incorrect current password.'));
}
}
// validate with the old md5 method
} else {
// compare hashes through function md5
if ($account->pass !== md5($curpass)) {
// mismatch password hashes returns error
form_error($element, t('Incorrect current password.'));
}
}
}
//function password_change_user_profile_form_validate($form, &$form_state) {
// if (md5($form_state['values']['pass_current']) !== $GLOBALS['user']->pass) {
// form_set_error('pass_current', 'Incorrect current password.');
// }
//}
/**
* Submit handler; reset the reset flag and unset the currnet password value.
*/
function password_change_form_submit_clear_reset($form, &$form_state) {
password_change_is_reset(FALSE);
unset($form_state['values']['pass_current']);
}
/**
* Implements hook_form_FORM_ID_alter().
*/
function password_change_form_user_admin_settings_alter(&$form, $form_state) {
$form += array(
'security' => array(
'#type' => 'fieldset',
'#title' => t('Security'),
),
);
$form['security']['password_change_all'] = array(
'#type' => 'checkbox',
'#title' => t("Require the current user to confirm his or her current password when changing any user's account."),
'#description' => t('Users will still be required to confirm their password when changing their own account regardless of this setting.'),
'#default_value' => variable_get('password_change_all', FALSE),
);
}