8 files changed, 183 insertions, 91 deletions

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
new file mode 100644
index 00000000..a8f1c5ca
--- /dev/null
+++ b/modules/user/controllers/password.php
@@ -0,0 +1,133 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Password_Controller extends Controller {
+  public function reset() {
+    if (request::method() == "post") {
+      // @todo separate the post from get parts of this function
+      access::verify_csrf();
+      $this->_send_reset();
+    } else {
+      print $this->_reset_form();
+    }
+  }
+
+  public function do_reset() {
+    if (request::method() == "post") {
+      $this->_change_password();
+    } else {
+      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      if (!empty($user)) {
+        print $this->_new_password_form($user->hash);
+      } else {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+    }
+  }
+
+  private function _send_reset() {
+    $form = $this->_reset_form();
+
+    $valid = $form->validate();
+    if ($valid) {
+      $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value);
+      if (!$user->loaded || empty($user->email)) {
+        $form->reset->inputs["name"]->add_error("no_email", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
+      $user->hash = md5(rand());
+      $user->save();
+      $message = new View("reset_password.html");
+      $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
+      $message->user = $user;
+
+      Sendmail::factory()
+        ->to($user->email)
+        ->subject(t("Password Reset Request"))
+        ->header("Mime-Version", "1.0")
+        ->header("Content-type", "text/html; charset=iso-8859-1")
+        ->message($message->render())
+        ->send();
+
+      log::success(
+        "user",
+        t("Password reset email sent for user %name", array("name" => $user->name)));
+    } else {
+      // Don't include the username here until you're sure that it's XSS safe
+      log::warning(
+        "user", "Password reset email requested for bogus user");
+    }
+
+    message::success(t("Password reset email sent"));
+    print json_encode(
+      array("result" => "success"));
+  }
+
+  private function _reset_form() {
+    $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
+    $group = $form->group("reset")->label(t("Reset Password"));
+    $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
+    $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
+    $group->submit("")->value(t("Reset"));
+
+    return $form;
+  }
+
+  private function _new_password_form($hash=null) {
+    $template = new Theme_View("page.html", "reset");
+
+    $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
+    $group = $form->group("reset")->label(t("Change Password"));
+    $hidden = $group->hidden("hash");
+    if (!empty($hash)) {
+      $hidden->value($hash);
+    }
+    $group->password("password")->label(t("Password"))->id("g-password")
+      ->rules("required|length[1,40]");
+    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
+      ->matches($group->password);
+    $group->inputs["password2"]->error_messages(
+      "mistyped", t("The password and the confirm password must match"));
+    $group->submit("")->value(t("Update"));
+
+    $template->content = $form;
+    return $template;
+  }
+
+  private function _change_password() {
+    $view = $this->_new_password_form();
+    if ($view->content->validate()) {
+      $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+      if (empty($user)) {
+        throw new Exception("@todo FORBIDDEN", 503);
+      }
+
+      $user->password = $view->content->reset->password->value;
+      $user->hash = null;
+      $user->save();
+      message::success(t("Password reset successfully"));
+      url::redirect(item::root()->abs_url());
+    } else {
+      print $view;
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/user/helpers/group.php b/modules/user/helpers/group.php
index cf5c050f..8ad52564 100644
--- a/modules/user/helpers/group.php
+++ b/modules/user/helpers/group.php
@@ -42,14 +42,14 @@ class group_Core {
    * @see Identity_Driver::everbody.
    */
   static function everybody() {
-    return Identity::instance()->everybody();
+    return model_cache::get("group", 1);
   }
 
   /**
    * @see Identity_Driver::registered_users.
    */
   static function registered_users() {
-    return Identity::instance()->everybody();
+    return model_cache::get("group", 2);
   }
 
   /**
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index fa7b320f..5ef2b726 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -25,14 +25,21 @@
  */
 class user_Core {
   /**
-   * @see Identity_Driver::guest.
+   * Return the guest user.
+   *
+   * @return User_Model the user object
    */
   static function guest() {
     return model_cache::get("user", 1);
   }
 
   /**
-   * @see Identity_Driver::create_user.
+   * Create a new user.
+   *
+   * @param string  $name
+   * @param string  $full_name
+   * @param string  $password
+   * @return User_Definition the user object
    */
   static function create($name, $full_name, $password) {
     $user = ORM::factory("user")->where("name", $name)->find();
@@ -53,7 +60,9 @@ class user_Core {
   }
 
   /**
-   * @see Identity_Driver::hash_password.
+   * Hash the password to the internal value
+   * @param string   $password the user password
+   * @param string   The hashed equivalent
    */
   static function hash_password($password) {
     require_once(MODPATH . "user/lib/PasswordHash.php");
diff --git a/modules/user/libraries/drivers/Identity/Gallery.php b/modules/user/libraries/drivers/Identity/Gallery.php
index 77db11a3..f405b710 100644
--- a/modules/user/libraries/drivers/Identity/Gallery.php
+++ b/modules/user/libraries/drivers/Identity/Gallery.php
@@ -25,14 +25,14 @@ class Identity_Gallery_Driver implements Identity_Driver {
    * @see Identity_Driver::guest.
    */
   public function guest() {
-    return new Gallery_User(user::guest());
+    return user::guest();
   }
 
   /**
    * @see Identity_Driver::create_user.
    */
   public function create_user($name, $full_name, $password) {
-    return new Gallery_User(user::create($name, $full_name, $password));
+    return user::create($name, $full_name, $password);
   }
 
   /**
@@ -67,122 +67,55 @@ class Identity_Gallery_Driver implements Identity_Driver {
   }
 
   /**
-   * @see Identity_Driver::hash_password.
+   * @see Identity_Driver::lookup_user.
    */
-  public function hash_password($password) {
-    return user::hash_password($password);
+  public function lookup_user($id) {
+    return user::lookup_by_field("id", $id);
   }
 
   /**
-   * @see Identity_Driver::lookup_user_by_field.
+   * @see Identity_Driver::lookup_user_by_name.
    */
-  public function lookup_user_by_field($field_name, $value) {
-    return new Gallery_User(user::lookup_by_field($field_name, $value));
+  public function lookup_user_by_name($name) {
+    return user::lookup_by_field("name", $name);
   }
 
   /**
    * @see Identity_Driver::create_group.
    */
   public function create_group($name) {
-    return new Gallery_Group(group::create($name));
+    return group::create($name);
   }
 
   /**
    * @see Identity_Driver::everybody.
    */
   public function everybody() {
-    return new Gallery_Group(group::everybody());
+    return group::everybody();
   }
 
   /**
    * @see Identity_Driver::registered_users.
    */
   public function registered_users() {
-    return new Gallery_Group(group::registered_users());
+    return group::registered_users();
   }
 
   /**
-   * @see Identity_Driver::lookup_group_by_field.
+   * @see Identity_Driver::lookup_group_by_name.
    */
-  public function lookup_group_by_field($field_name, $value) {
-    return new Gallery_Group(group::lookup_by_field($field_name, $value));
+  static function lookup_group_by_name($name) {
+    return group::lookup_by_field("name", $name);
   }
 
   /**
    * @see Identity_Driver::get_user_list.
    */
   public function get_user_list($ids) {
-    $results = ORM::factory("user")
+    return ORM::factory("user")
       ->in("id", ids)
       ->find_all()
-      ->as_array();;
-    $users = array();
-    foreach ($results as $user) {
-      $users[] = new Gallery_User($user);
-    }
-    return $users;
+      ->as_array();
   }
 } // End Identity Gallery Driver
 
-/**
- * User Data wrapper
- */
-class Gallery_User extends User_Definition {
-  /*
-   *  Not for general user, allows the back-end to easily create the interface object
-   */
-  function __construct($user) {
-    $this->user = $user;
-  }
-
-  /**
-   * @see User_Definition::avatar_url
-   */
-  public function avatar_url($size=80, $default=null) {
-    return $this->user->avatar_url($size, $default);
-  }
-
-  /**
-   * @see User_Definition::display_name
-   */
-  public function display_name() {
-    return $this->user->display_name();
-  }
-
-  public function save() {
-    $this->user->save();
-  }
-
-  public function delete() {
-    $this->user->delete();
-  }
-
-}
-
-/**
- * Group Data wrapper
- */
-class Gallery_Group extends Group_Definition {
-  /*
-   *  Not for general user, allows the back-end to easily create the interface object
-   */
-  function __construct($group) {
-    $this->group = $group;
-  }
-
-  public function save() {
-    $this->group->save();
-  }
-
-  public function delete() {
-    $this->group->delete();
-  }
-
-  public function add($user) {
-    $this->group->add($user->_uncloaked());
-  }
-
-  public function remove($user) {
-    $this->group->remove($user->_uncloaked());
-  }
-}
diff --git a/modules/user/models/group.php b/modules/user/models/group.php
index 8af78012..4432fc69 100644
--- a/modules/user/models/group.php
+++ b/modules/user/models/group.php
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class Group_Model extends ORM {
+class Group_Model extends ORM implements Group_Definition {
   protected $has_and_belongs_to_many = array("users");
 
   var $rules = array(
diff --git a/modules/user/models/user.php b/modules/user/models/user.php
index d99603b2..c51fc720 100644
--- a/modules/user/models/user.php
+++ b/modules/user/models/user.php
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class User_Model extends ORM {
+class User_Model extends ORM implements User_Definition {
   protected $has_and_belongs_to_many = array("groups");
 
   var $rules = array(
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 7c54d93d..ee8d413c 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -91,7 +91,7 @@
                   open_text="<?= t("close") ?>"
                   class="g-panel-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-pencil"></span><span class="g-button-text"><?= t("edit") ?></span></a>
-              <? if (user::active()->id != $user->id && !$user->guest): ?>
+              <? if (Session::active_user()->id != $user->id && !$user->guest): ?>
               <a href="<?= url::site("admin/users/delete_user_form/$user->id") ?>"
                   class="g-dialog-link g-button ui-state-default ui-corner-all ui-icon-left">
                 <span class="ui-icon ui-icon-trash"></span><?= t("delete") ?></a>
diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php
new file mode 100644
index 00000000..92ca4917
--- /dev/null
+++ b/modules/user/views/reset_password.html.php
@@ -0,0 +1,17 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<html>
+  <head>
+    <title><?= t("Password Reset Request") ?> </title>
+  </head>
+  <body>
+    <h2><?= t("Password Reset Request") ?> </h2>
+    <p>
+      <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?>
+    </p>
+    <p>
+  <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>.  If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>.  If you didn't request this password reset, it's ok to ignore this mail.",
+        array("site_url" => html::mark_clean(url::base(false, "http")),
+              "confirm_url" => $confirm_url)) ?>
+    </p>
+  </body>
+</html>