Révision 01dfd3b5
Ajouté par Assos Assos il y a plus de 3 ans
drupal7/modules/user/user.pages.inc | ||
---|---|---|
66 | 66 |
* @see user_pass_submit() |
67 | 67 |
*/ |
68 | 68 |
function user_pass_validate($form, &$form_state) { |
69 |
if (isset($form_state['values']['name']) && !is_scalar($form_state['values']['name'])) { |
|
70 |
form_set_error('name', t('An illegal value has been detected. Please contact the site administrator.')); |
|
71 |
return; |
|
72 |
} |
|
73 |
$user_pass_reset_ip_window = variable_get('user_pass_reset_ip_window', 3600); |
|
74 |
// Do not allow any password reset from the current user's IP if the limit |
|
75 |
// has been reached. Default is 50 attempts allowed in one hour. This is |
|
76 |
// independent of the per-user limit to catch attempts from one IP to request |
|
77 |
// resets for many different user accounts. We have a reasonably high limit |
|
78 |
// since there may be only one apparent IP for all users at an institution. |
|
79 |
if (!flood_is_allowed('pass_reset_ip', variable_get('user_pass_reset_ip_limit', 50), $user_pass_reset_ip_window)) { |
|
80 |
form_set_error('name', t('Sorry, too many password reset attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password')))); |
|
81 |
return; |
|
82 |
} |
|
83 |
// Always register an per-IP event. |
|
84 |
flood_register_event('pass_reset_ip', $user_pass_reset_ip_window); |
|
69 | 85 |
$name = trim($form_state['values']['name']); |
70 | 86 |
// Try to load by email. |
71 | 87 |
$users = user_load_multiple(array(), array('mail' => $name, 'status' => '1')); |
... | ... | |
76 | 92 |
$account = reset($users); |
77 | 93 |
} |
78 | 94 |
if (isset($account->uid)) { |
95 |
// Register user flood events based on the uid only, so they can be cleared |
|
96 |
// when a password is reset successfully. |
|
97 |
$identifier = $account->uid; |
|
98 |
$user_pass_reset_user_window = variable_get('user_pass_reset_user_window', 21600); |
|
99 |
$user_pass_reset_user_limit = variable_get('user_pass_reset_user_limit', 5); |
|
100 |
// Don't allow password reset if the limit for this user has been reached. |
|
101 |
// Default is to allow 5 passwords resets every 6 hours. |
|
102 |
if (!flood_is_allowed('pass_reset_user', $user_pass_reset_user_limit, $user_pass_reset_user_window, $identifier)) { |
|
103 |
form_set_error('name', format_plural($user_pass_reset_user_limit, 'Sorry, there has been more than one password reset attempt for this account. It is temporarily blocked. Try again later or <a href="@url">login with your password</a>.', 'Sorry, there have been more than @count password reset attempts for this account. It is temporarily blocked. Try again later or <a href="@url">login with your password</a>.', array('@url' => url('user/login')))); |
|
104 |
return; |
|
105 |
} |
|
106 |
// Register a per-user event. |
|
107 |
flood_register_event('pass_reset_user', $user_pass_reset_user_window, $identifier); |
|
79 | 108 |
form_set_value(array('#parents' => array('account')), $account, $form_state); |
80 | 109 |
} |
81 | 110 |
else { |
... | ... | |
161 | 190 |
// user_login_finalize() also updates the login timestamp of the |
162 | 191 |
// user, which invalidates further use of the one-time login link. |
163 | 192 |
user_login_finalize(); |
193 |
// Clear any password reset flood events for this user. |
|
194 |
flood_clear_event('pass_reset_user', $account->uid); |
|
164 | 195 |
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); |
165 | 196 |
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.')); |
166 | 197 |
// Let the user's password be changed without the current password check. |
Formats disponibles : Unified diff
Udpate to 7.77