Révision 01dfd3b5
Ajouté par Assos Assos il y a plus de 3 ans
| drupal7/modules/user/user.pages.inc | ||
|---|---|---|
| 66 | 66 |
* @see user_pass_submit() |
| 67 | 67 |
*/ |
| 68 | 68 |
function user_pass_validate($form, &$form_state) {
|
| 69 |
if (isset($form_state['values']['name']) && !is_scalar($form_state['values']['name'])) {
|
|
| 70 |
form_set_error('name', t('An illegal value has been detected. Please contact the site administrator.'));
|
|
| 71 |
return; |
|
| 72 |
} |
|
| 73 |
$user_pass_reset_ip_window = variable_get('user_pass_reset_ip_window', 3600);
|
|
| 74 |
// Do not allow any password reset from the current user's IP if the limit |
|
| 75 |
// has been reached. Default is 50 attempts allowed in one hour. This is |
|
| 76 |
// independent of the per-user limit to catch attempts from one IP to request |
|
| 77 |
// resets for many different user accounts. We have a reasonably high limit |
|
| 78 |
// since there may be only one apparent IP for all users at an institution. |
|
| 79 |
if (!flood_is_allowed('pass_reset_ip', variable_get('user_pass_reset_ip_limit', 50), $user_pass_reset_ip_window)) {
|
|
| 80 |
form_set_error('name', t('Sorry, too many password reset attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
|
|
| 81 |
return; |
|
| 82 |
} |
|
| 83 |
// Always register an per-IP event. |
|
| 84 |
flood_register_event('pass_reset_ip', $user_pass_reset_ip_window);
|
|
| 69 | 85 |
$name = trim($form_state['values']['name']); |
| 70 | 86 |
// Try to load by email. |
| 71 | 87 |
$users = user_load_multiple(array(), array('mail' => $name, 'status' => '1'));
|
| ... | ... | |
| 76 | 92 |
$account = reset($users); |
| 77 | 93 |
} |
| 78 | 94 |
if (isset($account->uid)) {
|
| 95 |
// Register user flood events based on the uid only, so they can be cleared |
|
| 96 |
// when a password is reset successfully. |
|
| 97 |
$identifier = $account->uid; |
|
| 98 |
$user_pass_reset_user_window = variable_get('user_pass_reset_user_window', 21600);
|
|
| 99 |
$user_pass_reset_user_limit = variable_get('user_pass_reset_user_limit', 5);
|
|
| 100 |
// Don't allow password reset if the limit for this user has been reached. |
|
| 101 |
// Default is to allow 5 passwords resets every 6 hours. |
|
| 102 |
if (!flood_is_allowed('pass_reset_user', $user_pass_reset_user_limit, $user_pass_reset_user_window, $identifier)) {
|
|
| 103 |
form_set_error('name', format_plural($user_pass_reset_user_limit, 'Sorry, there has been more than one password reset attempt for this account. It is temporarily blocked. Try again later or <a href="@url">login with your password</a>.', 'Sorry, there have been more than @count password reset attempts for this account. It is temporarily blocked. Try again later or <a href="@url">login with your password</a>.', array('@url' => url('user/login'))));
|
|
| 104 |
return; |
|
| 105 |
} |
|
| 106 |
// Register a per-user event. |
|
| 107 |
flood_register_event('pass_reset_user', $user_pass_reset_user_window, $identifier);
|
|
| 79 | 108 |
form_set_value(array('#parents' => array('account')), $account, $form_state);
|
| 80 | 109 |
} |
| 81 | 110 |
else {
|
| ... | ... | |
| 161 | 190 |
// user_login_finalize() also updates the login timestamp of the |
| 162 | 191 |
// user, which invalidates further use of the one-time login link. |
| 163 | 192 |
user_login_finalize(); |
| 193 |
// Clear any password reset flood events for this user. |
|
| 194 |
flood_clear_event('pass_reset_user', $account->uid);
|
|
| 164 | 195 |
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
|
| 165 | 196 |
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
|
| 166 | 197 |
// Let the user's password be changed without the current password check. |
Formats disponibles : Unified diff
Udpate to 7.77