user.pages.inc

  1. 7.x drupal-7.x/modules/user/user.pages.inc
  2. 6.x drupal-6.x/modules/user/user.pages.inc

User page callback file for the user module.

File

drupal-6.x/modules/user/user.pages.inc
View source
  1. <?php

  2. 

  3. /**

  4.  * @file

  5.  * User page callback file for the user module.

  6.  */

  7. 

  8. /**

  9.  * Menu callback; Retrieve a JSON object containing autocomplete suggestions for existing users.

  10.  */

  11. function user_autocomplete($string = '') {

  12.   $matches = array();

  13.   if ($string) {

  14.     $result = db_query_range("SELECT name FROM {users} WHERE LOWER(name) LIKE LOWER('%s%%')", $string, 0, 10);

  15.     while ($user = db_fetch_object($result)) {

  16.       $matches[$user->name] = check_plain($user->name);

  17.     }

  18.   }

  19. 

  20.   drupal_json($matches);

  21. }

  22. 

  23. /**

  24.  * Form builder; Request a password reset.

  25.  *

  26.  * @ingroup forms

  27.  * @see user_pass_validate()

  28.  * @see user_pass_submit()

  29.  */

  30. function user_pass() {

  31.   $form['name'] = array(

  32.     '#type' => 'textfield',

  33.     '#title' => t('Username or e-mail address'),

  34.     '#size' => 60,

  35.     '#maxlength' => max(USERNAME_MAX_LENGTH, EMAIL_MAX_LENGTH),

  36.     '#required' => TRUE,

  37.   );

  38.   $form['submit'] = array('#type' => 'submit', '#value' => t('E-mail new password'));

  39. 

  40.   return $form;

  41. }

  42. 

  43. function user_pass_validate($form, &$form_state) {

  44.   $name = trim($form_state['values']['name']);

  45.   

  46. 

  47.   // Try to load by email.

  48.   $account = user_load(array('mail' => $name, 'status' => 1));

  49.   if (!$account) {

  50.     // No success, try to load by name.

  51.     $account = user_load(array('name' => $name, 'status' => 1));

  52.   }

  53.   if ($account) {

  54.     // Blocked accounts cannot request a new password,

  55.     // check provided username and email against access rules.

  56.     if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {

  57.       form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));

  58.     }

  59.   }

  60.   if (isset($account->uid)) {

  61.     form_set_value(array('#parents' => array('account')), $account, $form_state);

  62.   }

  63.   else {

  64.     form_set_error('name', t('Sorry, %name is not recognized as a user name or an e-mail address.', array('%name' => $name)));

  65.   }

  66. }

  67. 

  68. function user_pass_submit($form, &$form_state) {

  69.   global $language;

  70. 

  71.   $account = $form_state['values']['account'];

  72.   // Mail one time login URL and instructions using current language.

  73.   _user_mail_notify('password_reset', $account, $language);

  74.   watchdog('user', 'Password reset instructions mailed to %name at %email.', array('%name' => $account->name, '%email' => $account->mail));

  75.   drupal_set_message(t('Further instructions have been sent to your e-mail address.'));

  76. 

  77.   $form_state['redirect'] = 'user';

  78.   return;

  79. }

  80. 

  81. /**

  82.  * Menu callback; process one time login link and redirects to the user page on success.

  83.  */

  84. function user_pass_reset(&$form_state, $uid, $timestamp, $hashed_pass, $action = NULL) {

  85.   global $user;

  86. 

  87.   // Check if the user is already logged in. The back button is often the culprit here.

  88.   if ($user->uid) {

  89.     drupal_set_message(t('You have already used this one-time login link. It is not necessary to use this link to login anymore. You are already logged in.'));

  90.     drupal_goto();

  91.   }

  92.   else {

  93.     // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds.

  94.     $timeout = 86400;

  95.     $current = time();

  96.     // Some redundant checks for extra security ?

  97.     if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {

  98.       // Deny one-time login to blocked accounts.

  99.       if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {

  100.         drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');

  101.         drupal_goto();

  102.       }

  103. 

  104.       // No time out for first time login.

  105.       if ($account->login && $current - $timestamp > $timeout) {

  106.         drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));

  107.         drupal_goto('user/password');

  108.       }

  109.       else if ($account->uid && $timestamp > $account->login && $timestamp < $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {

  110.         // First stage is a confirmation form, then login

  111.         if ($action == 'login') {

  112.           watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));

  113.           // Set the new user.

  114.           $user = $account;

  115.           // user_authenticate_finalize() also updates the login timestamp of the

  116.           // user, which invalidates further use of the one-time login link.

  117.           user_authenticate_finalize($form_state['values']);

  118.           drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to login. Please change your password.'));

  119.           drupal_goto('user/'. $user->uid .'/edit');

  120.         }

  121.         else {

  122.           $form['message'] = array('#value' => t('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to login to the site and change your password.</p>', array('%user_name' => $account->name, '%expiration_date' => format_date($timestamp + $timeout))));

  123.           $form['help'] = array('#value' => '<p>'. t('This login can be used only once.') .'</p>');

  124.           $form['submit'] = array('#type' => 'submit', '#value' => t('Log in'));

  125.           $form['#action'] = url("user/reset/$uid/$timestamp/$hashed_pass/login");

  126.           return $form;

  127.         }

  128.       }

  129.       else {

  130.         drupal_set_message(t('You have tried to use a one-time login link which has either been used or is no longer valid. Please request a new one using the form below.'));

  131.         drupal_goto('user/password');

  132.       }

  133.     }

  134.     else {

  135.       // Deny access, no more clues.

  136.       // Everything will be in the watchdog's URL for the administrator to check.

  137.       drupal_access_denied();

  138.     }

  139.   }

  140. }

  141. 

  142. /**

  143.  * Menu callback; logs the current user out, and redirects to the home page.

  144.  */

  145. function user_logout() {

  146.   global $user;

  147. 

  148.   watchdog('user', 'Session closed for %name.', array('%name' => $user->name));

  149. 

  150.   // Destroy the current session:

  151.   session_destroy();

  152.   // Only variables can be passed by reference workaround.

  153.   $null = NULL;

  154.   user_module_invoke('logout', $null, $user);

  155. 

  156.   // Load the anonymous user

  157.   $user = drupal_anonymous_user();

  158. 

  159.   drupal_goto();

  160. }

  161. 

  162. /**

  163.  * Menu callback; Displays a user or user profile page.

  164.  */

  165. function user_view($account) {

  166.   drupal_set_title(check_plain($account->name));

  167.   // Retrieve all profile fields and attach to $account->content.

  168.   user_build_content($account);

  169. 

  170.   // To theme user profiles, copy modules/user/user_profile.tpl.php

  171.   // to your theme directory, and edit it as instructed in that file's comments.

  172.   return theme('user_profile', $account);

  173. }

  174. 

  175. /**

  176.  * Process variables for user-profile.tpl.php.

  177.  *

  178.  * The $variables array contains the following arguments:

  179.  * - $account

  180.  *

  181.  * @see user-picture.tpl.php

  182.  */

  183. function template_preprocess_user_profile(&$variables) {

  184.   $variables['profile'] = array();

  185.   // Sort sections by weight

  186.   uasort($variables['account']->content, 'element_sort');

  187.   // Provide keyed variables so themers can print each section independantly.

  188.   foreach (element_children($variables['account']->content) as $key) {

  189.     $variables['profile'][$key] = drupal_render($variables['account']->content[$key]);

  190.   }

  191.   // Collect all profiles to make it easier to print all items at once.

  192.   $variables['user_profile'] = implode($variables['profile']);

  193. }

  194. 

  195. /**

  196.  * Process variables for user-profile-item.tpl.php.

  197.  *

  198.  * The $variables array contains the following arguments:

  199.  * - $element

  200.  *

  201.  * @see user-profile-item.tpl.php

  202.  */

  203. function template_preprocess_user_profile_item(&$variables) {

  204.   $variables['title'] = $variables['element']['#title'];

  205.   $variables['value'] = $variables['element']['#value'];

  206.   $variables['attributes'] = '';

  207.   if (isset($variables['element']['#attributes'])) {

  208.     $variables['attributes'] = drupal_attributes($variables['element']['#attributes']);

  209.   }

  210. }

  211. 

  212. /**

  213.  * Process variables for user-profile-category.tpl.php.

  214.  *

  215.  * The $variables array contains the following arguments:

  216.  * - $element

  217.  *

  218.  * @see user-profile-category.tpl.php

  219.  */

  220. function template_preprocess_user_profile_category(&$variables) {

  221.   $variables['title'] = check_plain($variables['element']['#title']);

  222.   $variables['profile_items'] = $variables['element']['#children'];

  223.   $variables['attributes'] = '';

  224.   if (isset($variables['element']['#attributes'])) {

  225.     $variables['attributes'] = drupal_attributes($variables['element']['#attributes']);

  226.   }

  227. }

  228. 

  229. /**

  230.  * Form builder; Present the form to edit a given user or profile category.

  231.  *

  232.  * @ingroup forms

  233.  * @see user_edit_validate()

  234.  * @see user_edit_submit()

  235.  */

  236. function user_edit($account, $category = 'account') {

  237.   drupal_set_title(check_plain($account->name));

  238.   return drupal_get_form('user_profile_form', $account, $category);

  239. }

  240. 

  241. /**

  242.  * Form builder; edit a user account or one of their profile categories.

  243.  *

  244.  * @ingroup forms

  245.  * @see user_profile_form_validate()

  246.  * @see user_profile_form_submit()

  247.  * @see user_edit_delete_submit()

  248.  */

  249. function user_profile_form($form_state, $account, $category = 'account') {

  250. 

  251.   $edit = (empty($form_state['values'])) ? (array)$account : $form_state['values'];

  252. 

  253.   $form = _user_forms($edit, $account, $category);

  254.   $form['_category'] = array('#type' => 'value', '#value' => $category);

  255.   $form['_account'] = array('#type' => 'value', '#value' => $account);

  256.   $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30);

  257.   if (user_access('administer users')) {

  258.     $form['delete'] = array(

  259.       '#type' => 'submit',

  260.       '#value' => t('Delete'),

  261.       '#weight' => 31,

  262.       '#submit' => array('user_edit_delete_submit'),

  263.     );

  264.   }

  265.   $form['#attributes']['enctype'] = 'multipart/form-data';

  266. 

  267.   return $form;

  268. }

  269. 

  270. /**

  271.  * Validation function for the user account and profile editing form.

  272.  */

  273. function user_profile_form_validate($form, &$form_state) {

  274.   user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']);

  275.   // Validate input to ensure that non-privileged users can't alter protected data.

  276.   if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) {

  277.     watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING);

  278.     // set this to a value type field

  279.     form_set_error('category', t('Detected malicious attempt to alter protected user fields.'));

  280.   }

  281. }

  282. 

  283. /**

  284.  * Submit function for the user account and profile editing form.

  285.  */

  286. function user_profile_form_submit($form, &$form_state) {

  287.   $account = $form_state['values']['_account'];

  288.   $category = $form_state['values']['_category'];

  289.   unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']);

  290.   user_module_invoke('submit', $form_state['values'], $account, $category);

  291.   user_save($account, $form_state['values'], $category);

  292. 

  293.   // Clear the page cache because pages can contain usernames and/or profile information:

  294.   cache_clear_all();

  295. 

  296.   drupal_set_message(t('The changes have been saved.'));

  297.   return;

  298. }

  299. 

  300. /**

  301.  * Submit function for the 'Delete' button on the user edit form.

  302.  */

  303. function user_edit_delete_submit($form, &$form_state) {

  304.   $destination = '';

  305.   if (isset($_REQUEST['destination'])) {

  306.     $destination = drupal_get_destination();

  307.     unset($_REQUEST['destination']);

  308.   }

  309.   // Note: We redirect from user/uid/edit to user/uid/delete to make the tabs disappear.

  310.   $form_state['redirect'] = array("user/". $form_state['values']['_account']->uid ."/delete", $destination);

  311. }

  312. 

  313. /**

  314.  * Form builder; confirm form for user deletion.

  315.  *

  316.  * @ingroup forms

  317.  * @see user_confirm_delete_submit()

  318.  */

  319. function user_confirm_delete(&$form_state, $account) {

  320. 

  321.   $form['_account'] = array('#type' => 'value', '#value' => $account);

  322. 

  323.   return confirm_form($form,

  324.     t('Are you sure you want to delete the account %name?', array('%name' => $account->name)),

  325.     'user/'. $account->uid,

  326.     t('All submissions made by this user will be attributed to the anonymous account. This action cannot be undone.'),

  327.     t('Delete'), t('Cancel'));

  328. }

  329. 

  330. /**

  331.  * Submit function for the confirm form for user deletion.

  332.  */

  333. function user_confirm_delete_submit($form, &$form_state) {

  334.   user_delete($form_state['values'], $form_state['values']['_account']->uid);

  335.   drupal_set_message(t('%name has been deleted.', array('%name' => $form_state['values']['_account']->name)));

  336. 

  337.   if (!isset($_REQUEST['destination'])) {

  338.     $form_state['redirect'] = 'admin/user/user';

  339.   }

  340. }

  341. 

  342. function user_edit_validate($form, &$form_state) {

  343.   user_module_invoke('validate', $form_state['values'], $form_state['values']['_account'], $form_state['values']['_category']);

  344.   // Validate input to ensure that non-privileged users can't alter protected data.

  345.   if ((!user_access('administer users') && array_intersect(array_keys($form_state['values']), array('uid', 'init', 'session'))) || (!user_access('administer permissions') && isset($form_state['values']['roles']))) {

  346.     watchdog('security', 'Detected malicious attempt to alter protected user fields.', array(), WATCHDOG_WARNING);

  347.     // set this to a value type field

  348.     form_set_error('category', t('Detected malicious attempt to alter protected user fields.'));

  349.   }

  350. }

  351. 

  352. function user_edit_submit($form, &$form_state) {

  353.   $account = $form_state['values']['_account'];

  354.   $category = $form_state['values']['_category'];

  355.   unset($form_state['values']['_account'], $form_state['values']['op'], $form_state['values']['submit'], $form_state['values']['delete'], $form_state['values']['form_token'], $form_state['values']['form_id'], $form_state['values']['_category']);

  356.   user_module_invoke('submit', $form_state['values'], $account, $category);

  357.   user_save($account, $form_state['values'], $category);

  358. 

  359.   // Clear the page cache because pages can contain usernames and/or profile information:

  360.   cache_clear_all();

  361. 

  362.   drupal_set_message(t('The changes have been saved.'));

  363.   return;

  364. }

  365. 

  366. /**

  367.  * Access callback for path /user.

  368.  *

  369.  * Displays user profile if user is logged in, or login form for anonymous

  370.  * users.

  371.  */

  372. function user_page() {

  373.   global $user;

  374.   if ($user->uid) {

  375.     menu_set_active_item('user/'. $user->uid);

  376.     return menu_execute_active_handler();

  377.   }

  378.   else {

  379.     return drupal_get_form('user_login');

  380.   }

  381. }