prlp.module in Password Reset Landing Page (PRLP) 6

<?php

/**
 * @file
 * Password Reset Landing Page module.
 */

/**
 * Implements hook_menu().
 */
function prlp_menu() {
  $items = array();
  $items['admin/user/prlp'] = array(
    'title' => 'PRLP settings',
    'description' => 'Configure - Password Reset Landing Page - what happens when users use their one-time login links for resetting password.',
    'page callback' => 'drupal_get_form',
    'page arguments' => array(
      'prlp_admin_settings',
    ),
    'access arguments' => array(
      'administer users',
    ),
    'file' => 'prlp.admin.inc',
  );
  return $items;
}

/**
 * Alters the user password reset landing page.
 *
 * Lets the user enter a new password directly on the landing page
 * and adds a submit handler to save it.
 */
function prlp_form_user_pass_reset_alter(&$form, &$form_state) {
  @(list($formid, $form_form_state, $uid, $timestamp, $hashed_pass) = $form['#parameters']);
  if ($uid) {
    $form['#user'] = user_load($uid);

    // Inject the username/password change form into the current form.
    $edit = empty($form_state['values']) ? (array) $form['#user'] : $form_state['values'];
    $form = array_merge($form, _user_forms($edit, $form['#user'], 'account'));

    // ???
    $form['#user_category'] = 'account';

    // Hide certain fields in $form
    foreach ($form as $key => &$element) {
      if (in_array($key, prlp_get_hidden_fields())) {
        $element['#access'] = FALSE;
      }
    }

    // Hide certain fields in $form['account']
    foreach ($form['account'] as $key => &$element) {
      if (in_array($key, prlp_get_hidden_account_fields())) {
        $element['#access'] = FALSE;
      }
    }

    // Unset $form['#action'] so that the form doesn't get submitted to the
    // user profile edit page. Instead it gets submitted to self.
    unset($form['#action']);

    // Remove the part of the message that talks about changing password later, since they are changing it right here.
    if (!empty($form['message']['#value'])) {
      $form['message']['#value'] = str_replace('<p>Click on this button to log in to the site and change your password.</p>', '', $form['message']['#value']);
    }
    if (is_array($form['account']['pass']) && variable_get('prlp_password_required', 1)) {
      $form['account']['pass']['#required'] = TRUE;
    }

    // before sending the user to user profile edit form.
    $form['#submit'][] = 'prlp_user_pass_reset_submit';
  }
}

/**
 * Default value of the 'prlp_destination' config varible.
 */
define('PRLP_DESTINATION_DEFAULT', 'user/%uid/edit');

/**
 * A copy of 'user_pass_reset' function, with a couple of significant changes.
 *
 * It saves the password or username changes. Also, Unlike that function,
 * this one is a form submit handler.
 */
function prlp_user_pass_reset_submit($form, &$form_state) {
  global $user;
  @(list($formid, $form_form_state, $uid, $timestamp, $hashed_pass) = $form['#parameters']);

  // When processing the one-time login link, we have to make sure that a user
  // isn't already logged in.
  if ($user->uid) {

    // The existing user is already logged in.
    if ($user->uid == $uid) {
      drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array(
        '%user' => $user->name,
        '!user_edit' => url("user/{$user->uid}/edit"),
      )));
    }
    else {
      $reset_link_account = user_load($uid);
      if (!empty($reset_link_account)) {
        drupal_set_message(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.', array(
          '%other_user' => $user->name,
          '%resetting_user' => $reset_link_account->name,
          '!logout' => url('user/logout'),
        )));
      }
      else {

        // Invalid one-time link specifies an unknown user.
        drupal_set_message(t('The one-time login link you clicked is invalid.'));
      }
    }
    $form_state['redirect'] = '';
  }
  else {

    // Time out, in seconds, until login URL expires. Defaults to 24 hours =
    // 86400 seconds.
    $timeout = variable_get('user_password_reset_timeout', 86400);
    $current = time();

    // Some redundant checks for extra security ?
    if ($timestamp < $current && ($account = user_load(array(
      'uid' => $uid,
      'status' => 1,
    )))) {

      // Deny one-time login to blocked accounts.
      if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
        drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
        drupal_goto();
      }

      // No time out for first time login.
      if ($account->login && $current - $timestamp > $timeout) {
        drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
        $form_state['redirect'] = 'user/password';
      }
      elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {

        /*
         * BEGIN: CHANGED from user_pass_reset.
         */
        $form_state['values']['_account'] = $account;
        $form_state['values']['_category'] = 'account';

        // Prevent a notice from line 324 in /modules/user/user.pages.inc.
        if (!isset($_SESSION)) {
          $_SESSION = array();
        }
        user_profile_form_submit($form, $form_state);

        // Get the index of the 'The changes have been saved.' message which was
        // added by user_profile_form_submit().
        $message_index = array_search(t('The changes have been saved.'), $_SESSION['messages']['status']);

        // Replace the message with a custom message.
        $_SESSION['messages']['status'][$message_index] = variable_get($account->access ? 'prlp_confirmation_message_existing_users' : 'prlp_confirmation_message_new_users');

        // Remove empty values.
        $_SESSION['messages']['status'] = array_filter($_SESSION['messages']['status']);

        // If status messages array is empty, remove it completely to prevent
        // an empty message from being displayed.
        if (empty($_SESSION['messages']['status'])) {
          unset($_SESSION['messages']['status']);
        }

        /*
         * END: CHANGED from user_pass_reset.
         */

        // First stage is a confirmation form, then login.
        watchdog('user', 'User %name used one-time login link at time %timestamp.', array(
          '%name' => $account->name,
          '%timestamp' => $timestamp,
        ));

        // Set the new user.
        // Reload the user instead of using $account because the plain text password is in $account->pass at this point.
        $user = user_load($account->uid);

        // user_login_finalize() also updates the login timestamp of the
        // user, which invalidates further use of the one-time login link.
        user_authenticate_finalize($form_state['values']);

        // Users have requested removal of the next message.
        // drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in.'));
        drupal_goto('user/' . $user->uid . '/edit');

        // Let the user's password be changed without the current password check.
        $token = drupal_hash_base64(drupal_random_bytes(55));
        $_SESSION['pass_reset_' . $user->uid] = $token;

        // If necessary, replace '%uid' token with uid of the current user.
        $destination = variable_get('prlp_destination', PRLP_DESTINATION_DEFAULT);
        if (empty($destination) || $destination == PRLP_DESTINATION_DEFAULT) {
          $form_state['redirect'] = array(
            'user/' . $user->uid . '/edit',
            array(
              'query' => array(
                'pass-reset-token' => $token,
              ),
            ),
          );
        }
        else {
          $destination = str_replace('%uid', $user->uid, $destination);

          // Handle URL parameters in destination.
          $destination = drupal_parse_url($destination);
          $form_state['redirect'] = array(
            $destination['path'],
            $destination,
          );
        }
      }
      else {
        drupal_set_message(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
        $form_state['redirect'] = 'user/password';
      }
    }
    else {

      // Deny access, no more clues.
      // Everything will be in the watchdog's URL for the administrator to check.
      drupal_access_denied();
    }
  }
}
define('PRLP_HIDDEN_FIELDS_DEFAULT', "timezone");

/**
 * Returns an array of fields under $form that should be hidden in PRLP form.
 */
function prlp_get_hidden_fields() {
  static $fields = array();
  if (empty($fields)) {

    // Break the variable value by newline separator.
    $fields = explode("\n", variable_get('prlp_hidden_fields', PRLP_HIDDEN_FIELDS_DEFAULT));
    foreach ($fields as &$field) {
      $field = trim($field);
    }
  }
  return $fields;
}
define('PRLP_HIDDEN_ACCOUNT_FIELDS_DEFAULT', "mail");

/**
 * Returns an array of fields on $form['account'] that should be hidden by PRLP.
 */
function prlp_get_hidden_account_fields() {
  static $fields = array();
  if (empty($fields)) {

    // Break the variable value by newline separator.
    $fields = explode("\n", variable_get('prlp_hidden_account_fields', PRLP_HIDDEN_ACCOUNT_FIELDS_DEFAULT));
  }
  return $fields;
}