* See http://www.fsf.org/copyleft/gpl.html for license information (GPL). * * * Add the following menu item to imp/config/menu.php: * * $_menu[] = array( * 'url' => '#', * 'text' => 'Password', * 'icon' => 'lock.gif', * 'icon_path' => $registry->getWebRoot('imp') . '/graphics/', * 'target' => '', * 'onclick' => "window.open('" . Horde::applicationUrl('custom_passwd.php') . "', 'Password', 'width=400,height=300,resizable')" * ); * * or: * * $_menu[] = array( * 'url' => Horde::applicationUrl('custom_passwd.php'), * 'text' => 'Password', * 'icon' => 'lock.gif', * 'icon_path' => $registry->getWebRoot('imp') . '/graphics/', * 'target' => 'Password', * 'onclick' => '' * ); * * * This code uses the standard horde_users table and a custom table * (custom_imp_users); refer to imp/_custom/imp_sql_auth.php for information. * * This code can easily be modified to provide a password change screen for * users authenticated via standard Horde SQL authentication (without the custom table). * */ // set these $email_admin_failed_attempts = false; $email_admin_successes = false; $admin_email_address = 'admin@example.com'; // preferably a local mailbox $_custom_db_name = 'horde'; $_custom_db_host = 'localhost'; $_custom_db_user = 'horde'; $_custom_db_pass = '*****'; require_once 'lib/base.php'; if (!Auth::getAuth()) { exit('You are NOT logged in.'); } $_custom_db = mysql_connect($_custom_db_host, $_custom_db_user, $_custom_db_pass); mysql_select_db($_custom_db_name, $_custom_db); ?> Change Password %s'; if (!isset($transaction)) { $transaction = 'enter'; } if ($transaction == 'enter') { printf ('
', $REQUEST_URI); echo '' . '' . '' . '' . '' . '' . '' . '' . '' . ''; // hidden values and submit button echo ''; echo '' . ''; echo '
Change Password
Username  
Current Password  
New Password  
Verify New Password  
' . '' . '' . '
 
' . '' . '
'; } else if ($transaction == 'update') { $error_occurred = false; $notify_message = 'no message set, you should never receive this message'; if ((empty($_POST['user'])) || (empty($_POST['currentPass'])) || (empty($_POST['newPass'])) || (empty($_POST['verifyNewPass']))) { printf($result_html,'Error: Data is missing'); $error_occurred = true; $notify_message = 'Update transaction called without required POST data, javascript must be disable; Or the update transaction is being accessed via GET - this may be malicious intent'; // verify password } else if ( $newPass != $verifyNewPass ) { printf($result_html, 'Error: New password NOT entered identically twice'); $error_occurred = true; $notify_message = 'New password NOT entered identically twice, javascript must be disable'; } else { // verify user exists and supplied user name is the current user $result = mysql_query("SELECT imp_imapuser FROM custom_imp_users WHERE horde_user_uid = '$user' AND enabled = 1", $_custom_db); if ( $myrow = mysql_fetch_row($result) ) { if ($myrow[0] != Auth::getAuth()) { printf($result_html, 'Error: Invalid username'); // user exists, but is not the current user $error_occurred = true; $notify_message = 'A valid username was entered, but it was not the authorized user\'s'; } else { // verify supplied current password matches the existing password // (at the moment we attempt the update) // and update password $result = mysql_query("UPDATE horde_users SET user_pass = md5('$newPass') WHERE user_uid = '$user' AND user_pass = md5('$currentPass')", $_custom_db); $result = mysql_query("SELECT COUNT(*) FROM horde_users WHERE user_uid = '$user' AND user_pass = md5('$newPass')", $_custom_db); if ( ($myrow = mysql_fetch_row($result)) && ($myrow[0] == 1) ) { printf($result_html, 'Password has been updated'); $error_occurred = false; $notify_message = 'Password was successfully updated'; } else { printf($result_html, 'Error: Password was NOT updated'); $error_occurred = true; $notify_message = 'Password was NOT updated, most likely ' . 'the supplied current password was not correct'; } } } else { printf($result_html, 'Error: Invalid username'); // user does not exist $error_occurred = true; $notify_message = 'An invalid username was entered'; } } // prepare e-mail if ($email_admin_failed_attempts || $email_admin_successes) { if (empty($_POST['user'])) { $user_from_form = '[no value was submitted]'; } else { $user_from_form = $_POST['user']; } $email_body = sprintf( "Date: %s\n\n" . "Error Occurred: %s\n\n" . "Message: %s\n\n" . "Authenticated User: %s\n\n" . "Username Submitted: %s\n\n" . "PHP_SELF:\n%s\n\n" . "SERVER_NAME:\n%s\n\n" . "SERVER_PROTOCOL:\n%s\n\n" . "REQUEST_METHOD:\n%s\n\n" . "QUERY_STRING:\n%s\n\n" . "HTTP_REFERER:\n%s\n\n" . "HTTP_USER_AGENT:\n%s\n\n" . "REMOTE_ADDR:\n%s\n\n" . "REMOTE_PORT:\n%s\n\n" . "SERVER_PORT:\n%s\n\n" . "REQUEST_URI:\n%s\n\n" . "------- end -------", date('D, F j, Y \a\t g:i A T'), (($error_occurred) ? ('true') : ('false')), $notify_message, Auth::getAuth(), $user_from_form, $_SERVER['PHP_SELF'], $_SERVER['SERVER_NAME'], $_SERVER['SERVER_PROTOCOL'], $_SERVER['REQUEST_METHOD'], $_SERVER['QUERY_STRING'], $_SERVER['HTTP_REFERER'], $_SERVER['HTTP_USER_AGENT'], $_SERVER['REMOTE_ADDR'], $_SERVER['REMOTE_PORT'], $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_URI'] ); } // e-mail admin failed attempts if ($email_admin_failed_attempts && $error_occurred) { mail($admin_email_address, 'IMP user: ' . Auth::getAuth() . ' - password change error has occurred', $email_body); } // email admin successes if ($email_admin_successes && !($error_occurred)) { mail($admin_email_address, 'IMP user: ' . Auth::getAuth() . ' - password was successfully updated', $email_body); } } else { printf($result_html, 'Error: Invalid transaction'); $error_occurred = true; } if ($transaction != 'enter') { printf ('
', $REQUEST_URI); if ($error_occurred) { echo '' . '' . '' . ''; } else { echo '' . ''; } echo '
 
' . '' . '
 
' . '' . '
 
' . '' . '
'; } ?>