passwordforgotten.php

Go to the documentation of this file.

<?php
/* Copyright (C) 2007-2011  Laurent Destailleur   <eldy@users.sourceforge.net>
 * Copyright (C) 2008-2012  Regis Houssin     <regis.houssin@inodbox.com>
 * Copyright (C) 2008-2011  Juanjo Menent     <jmenent@2byte.es>
 * Copyright (C) 2014       Teddy Andreotti       <125155@supinfo.com>
 * Copyright (C) 2024-2026  MDW           <mdeweerd@users.noreply.github.com>
 * Copyright (C) 2024       Frédéric France         <frederic.france@free.fr>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
 
define("NOLOGIN", 1); // This means this output page does not require to be logged.
 
// Load Dolibarr environment
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
if (isModEnabled('ldap')) {
  require_once DOL_DOCUMENT_ROOT.'/core/class/ldap.class.php';
}
 
// Load translation files required by page
$langs->loadLangs(array('errors', 'users', 'companies', 'ldap', 'other'));
 
// Security check
if (getDolGlobalString('MAIN_SECURITY_DISABLEFORGETPASSLINK')) {
  header("Location: ".DOL_URL_ROOT.'/');
  exit;
}
 
$action = GETPOST('action', 'aZ09');
$mode = $dolibarr_main_authentication;
if (!$mode) {
  $mode = 'http';
}
 
$username = GETPOST('username', 'alphanohtml');
$passworduidhash = GETPOST('passworduidhash', 'alpha');
$setnewpassword = GETPOST('setnewpassword', 'aZ09');
 
$conf->entity = (GETPOSTINT('entity') ? GETPOSTINT('entity') : 1);
 
// Instantiate hooks of thirdparty module only if not already define
$hookmanager->initHooks(array('passwordforgottenpage'));
 
 
if (GETPOST('dol_hide_leftmenu', 'alpha') || !empty($_SESSION['dol_hide_leftmenu'])) {
  $conf->dol_hide_leftmenu = 1;
}
if (GETPOST('dol_hide_topmenu', 'alpha') || !empty($_SESSION['dol_hide_topmenu'])) {
  $conf->dol_hide_topmenu = 1;
}
if (GETPOST('dol_optimize_smallscreen', 'alpha') || !empty($_SESSION['dol_optimize_smallscreen'])) {
  $conf->dol_optimize_smallscreen = 1;
}
if (GETPOST('dol_no_mouse_hover', 'alpha') || !empty($_SESSION['dol_no_mouse_hover'])) {
  $conf->dol_no_mouse_hover = 1;
}
if (GETPOST('dol_use_jmobile', 'alpha') || !empty($_SESSION['dol_use_jmobile'])) {
  $conf->dol_use_jmobile = 1;
}
 
 
/*
 * Actions
 */
 
$parameters = array('username' => $username);
$reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
if ($reshook < 0) {
  $message = $hookmanager->error;
} else {
  $message = '';
}
 
if (empty($reshook)) {
  // Validate new password
  if ($action == 'validatenewpassword' && $username && $passworduidhash) {  // Test on permission not required here. Security is managed by $passworduihash
    $edituser = new User($db);
    $result = $edituser->fetch(0, $username, '', 0, $conf->entity);
    if ($result < 0) {
      $message = '<div class="error">'.dol_escape_htmltag($langs->trans("ErrorTechnicalError")).'</div>';
    } else {
      global $conf;
 
      //print $edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id.' '.$passworduidhash;
      if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id, $passworduidhash)) {
        // Clear session
        unset($_SESSION['dol_login']);
        $_SESSION['dol_loginmesg'] = '<!-- warning -->'.$langs->transnoentitiesnoconv('NewPasswordValidated'); // Save message for the session page
 
        $newpassword = $edituser->setPassword($user, $edituser->pass_temp, 0);
        dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");
 
        header("Location: ".DOL_URL_ROOT.'/?username='.urlencode($edituser->login));
        exit;
      } else {
        $langs->load("errors");
        $message = '<div class="error">'.$langs->trans("ErrorFailedToValidatePasswordReset").'</div>';
      }
    }
  }
 
  // Action to set a temporary password and send email for reset
  if ($action == 'buildnewpassword' && $username) { // Test on permission not required here. This action is done anonymously.
    $sessionkey = 'dol_antispam_value';
    $ok = (array_key_exists($sessionkey, $_SESSION) && (strtolower($_SESSION[$sessionkey]) == strtolower(GETPOST('code'))));
 
    // Verify code
    if (!$ok) {
      dol_syslog('Bad value for code, password reset refused', LOG_NOTICE);
 
      $message = '<div class="error">'.$langs->trans("ErrorBadValueForCode").'</div>';
    } else {
      $isanemail = preg_match('/@/', $username);
 
      $edituser = new User($db);
      $result = $edituser->fetch(0, $username, '', 1, $conf->entity);
      if ($result == 0 && $isanemail) {
        $result = $edituser->fetch(0, '', '', 1, $conf->entity, $username);
      }
 
      // If the user does not have the right to change his own password
      if ($result > 0) {
        $edituser->loadRights('user');
        if (!$edituser->hasRight('user', 'self', 'password')) {
          $result = 0;
          $edituser->error = 'USERNOTALLOWEDTOCHANGEPASS';
        }
      }
 
      // Set the message to show (must be the same if login/email exists or not to avoid to guess them.
      $messagewarning = '<div class="warning paddingtopbottom'.(!getDolGlobalString('MAIN_LOGIN_BACKGROUND') ? '' : ' backgroundsemitransparent boxshadow').'">';
      if (!$isanemail) {
        $messagewarning .= $langs->trans("IfLoginExistPasswordRequestSent");
      } else {
        $messagewarning .= $langs->trans("IfEmailExistPasswordRequestSent");
      }
      $messagewarning .= '</div>';
 
      if ($result <= 0 && ($edituser->error == 'USERNOTFOUND' || $edituser->error == 'USERNOTALLOWEDTOCHANGEPASS')) {
        usleep(20000);  // add delay to simulate setPassword() and send_password() actions delay (0.02s)
        $message .= $messagewarning;
        $username = '';
      } else {
        if (empty($edituser->email)) {
          usleep(20000);  // add delay to simulate setPassword() and send_password() actions delay (0.02s)
          $message .= $messagewarning;
        } else {
          $newpassword = $edituser->setPassword($user, '', 1);
          if (is_int($newpassword) && $newpassword < 0) {
            // Technical failure
            $message = '<div class="error">'.$langs->trans("ErrorFailedToChangePassword").'</div>';
          } else {
            // Success to set temporary password, send email
            if ($edituser->send_password($user, $newpassword, 1) > 0) {
              $message .= $messagewarning;
              $username = '';
            } else {
              // Technical failure
              $message .= '<div class="error">'.$edituser->error.'</div>';
            }
          }
        }
      }
    }
  }
}
 
 
/*
 * View
 */
 
$dol_url_root = DOL_URL_ROOT;
 
$appli = constant('DOL_APPLICATION_TITLE');
$applicustom = getDolGlobalString('MAIN_APPLICATION_TITLE');
if ($applicustom) {
  $appli = (preg_match('/^\+/', $applicustom) ? $appli : '').$applicustom;
} else {
  $appli .= " ".DOL_VERSION;
}
 
// Title
$title = $appli;  // $title is used in .tpl file
 
// Select templates dir
$template_dir = '';
if (!empty($conf->modules_parts['tpl'])) {  // Using this feature slow down application
  $dirtpls = array_merge($conf->modules_parts['tpl'], array('/core/tpl/'));
  foreach ($dirtpls as $reldir) {
    $tmp = dol_buildpath($reldir.'passwordforgotten.tpl.php');
    if (file_exists($tmp)) {
      $template_dir = preg_replace('/passwordforgotten\.tpl\.php$/', '', $tmp);
      break;
    }
  }
} elseif (file_exists(DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/passwordforgotten.tpl.php")) {
  $template_dir = DOL_DOCUMENT_ROOT."/theme/".$conf->theme."/tpl/";
} else {
  $template_dir = DOL_DOCUMENT_ROOT."/core/tpl/";
}
 
if (!$username) {
  $focus_element = 'username';
} else {
  $focus_element = 'password';
}
 
// Show logo (search in order: small company logo, large company logo, theme logo, common logo)
$width = 0;
$rowspan = 2;
$urllogo = DOL_URL_ROOT.'/theme/common/login_logo.png';
if (!empty($mysoc->logo_small) && is_readable($conf->mycompany->dir_output.'/logos/thumbs/'.$mysoc->logo_small)) {
  $urllogo = DOL_URL_ROOT.'/viewimage.php?cache=1&amp;modulepart=mycompany&amp;file='.urlencode('logos/thumbs/'.$mysoc->logo_small);
} elseif (!empty($mysoc->logo_small) && is_readable($conf->mycompany->dir_output.'/logos/'.$mysoc->logo)) {
  $urllogo = DOL_URL_ROOT.'/viewimage.php?cache=1&amp;modulepart=mycompany&amp;file='.urlencode('logos/'.$mysoc->logo);
  $width = 128;
} elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.svg')) {
  $urllogo = DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/dolibarr_logo.svg';
} elseif (is_readable(DOL_DOCUMENT_ROOT.'/theme/dolibarr_logo.svg')) {
  $urllogo = DOL_URL_ROOT.'/theme/dolibarr_logo.svg';
}
 
// Send password button enabled ?
$disabled = 'disabled';
if (preg_match('/dolibarr/i', $mode)) {
  $disabled = '';
}
if (getDolGlobalString('MAIN_SECURITY_ENABLE_SENDPASSWORD')) {
  $disabled = ''; // To force button enabled
}
 
// Security graphical code
$captcha = '';
if (!$disabled) {
  $captcha = getDolGlobalString('MAIN_SECURITY_ENABLECAPTCHA_HANDLER', 'standard');
}
 
// Execute hook getPasswordForgottenPageOptions (for table)
$parameters = array('entity' => GETPOSTINT('entity'));
$hookmanager->executeHooks('getPasswordForgottenPageOptions', $parameters); // Note that $action and $object may have been modified by some hooks
if (is_array($hookmanager->resArray) && !empty($hookmanager->resArray)) {
  $morelogincontent = $hookmanager->resArray; // (deprecated) For compatibility
} else {
  $morelogincontent = $hookmanager->resPrint;
}
 
// Execute hook getPasswordForgottenPageExtraOptions (eg for js)
$parameters = array('entity' => GETPOSTINT('entity'));
$reshook = $hookmanager->executeHooks('getPasswordForgottenPageExtraOptions', $parameters); // Note that $action and $object may have been modified by some hooks.
$moreloginextracontent = $hookmanager->resPrint;
 
if (empty($setnewpassword)) {
  include $template_dir.'passwordforgotten.tpl.php'; // To use native PHP
} else {
  include $template_dir.'passwordreset.tpl.php'; // To use native PHP
}