/
password.php
107 lines (88 loc) · 3.29 KB
/
password.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<?php
/****************************************************************/
/* ATutor */
/****************************************************************/
/* Copyright (c) 2002-2010 */
/* Inclusive Design Institute */
/* http://atutor.ca */
/* */
/* This program is free software. You can redistribute it and/or*/
/* modify it under the terms of the GNU General Public License */
/* as published by the Free Software Foundation. */
/****************************************************************/
// $Id$
define('AT_INCLUDE_PATH', '../../../../include/');
require(AT_INCLUDE_PATH.'vitals.inc.php');
admin_authenticate(AT_ADMIN_PRIV_USERS);
if (isset($_POST['cancel'])) {
$msg->addFeedback('CANCELLED');
header('Location: '.AT_BASE_HREF.'mods/_core/users/admins/index.php');
exit;
} else if (isset($_POST['submit'])) {
check_csrf_token();
/* password check: password is verified front end by javascript. here is to handle the errors from javascript */
if ($_POST['password_error'] <> "")
{
$pwd_errors = explode(",", $_POST['password_error']);
foreach ($pwd_errors as $pwd_error)
{
if ($pwd_error == "missing_password")
$missing_fields[] = _AT('password');
else
$msg->addError($pwd_error);
}
}
if (!$msg->containsErrors()) {
$password = $addslashes($_POST['form_password_hidden']);
$sql = "UPDATE %sadmins SET password='%s', last_login=last_login WHERE login='%s'";
$result = queryDB($sql, array(TABLE_PREFIX, $password, $_POST['login']));
// a static version of the SQL that does not post the submitted password to the log
$sql = "UPDATE ".TABLE_PREFIX."admins SET password='********' WHERE login='$_POST[login]'";
write_to_log(AT_ADMIN_LOG_UPDATE, 'admins', $result, $sql);
$msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY');
header('Location: '.AT_BASE_HREF.'mods/_core/users/admins/index.php');
exit;
}
$_POST['login'] = $stripslashes($_POST['login']);
}
$_GET['login'] = $addslashes($_REQUEST['login']);
$sql = "SELECT login FROM %sadmins WHERE login='%s'";
$row = queryDB($sql, array(TABLE_PREFIX, $_GET['login']), TRUE);
if(count($row) == 0){
$msg->addError('USER_NOT_FOUND');
$msg->printErrors();
require(AT_INCLUDE_PATH.'footer.inc.php');
exit;
}
if (!isset($_POST['submit'])) {
$_POST = $row;
if (query_bit($row['privileges'], AT_ADMIN_PRIV_ADMIN)) {
$_POST['priv_admin'] = 1;
}
$_POST['privs'] = intval($row['privileges']);
}
$onload = 'document.form.password1.focus();';
require(AT_INCLUDE_PATH.'header.inc.php');
?>
<script language="JavaScript" src="sha-1factory.js" type="text/javascript"></script>
<script type="text/javascript">
function encrypt_password()
{
document.form.password_error.value = "";
err = verify_password(document.form.password1.value, document.form.confirm_password.value);
if (err.length > 0)
{
document.form.password_error.value = err;
}
else
{
document.form.form_password_hidden.value = hex_sha1(document.form.password1.value);
document.form.password1.value = "";
document.form.confirm_password.value = "";
}
}
</script>
<?php
$savant->assign('row', $row);
$savant->display('admin/users/password.tmpl.php');
require(AT_INCLUDE_PATH.'footer.inc.php'); ?>