5 files changed, 121 insertions, 45 deletions

diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 03d9858b..df3d96c9 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -60,9 +60,7 @@ class Admin_Users_Controller extends Admin_Controller {
   }
 
   public function add_user_form() {
-    $v = new View("user_form.html");
-    $v->form = $this->_get_user_add_form_admin();
-    print $v;
+    print $this->_get_user_add_form_admin();
   }
 
   public function delete_user($id) {
@@ -147,13 +145,7 @@ class Admin_Users_Controller extends Admin_Controller {
       throw new Kohana_404_Exception();
     }
 
-    $v = new View("user_form.html");
-    $v->form = $this->_get_user_edit_form_admin($user);
-    // Don't allow the user to control their own admin bit, else you can lock yourself out
-    if ($user->id == identity::active_user()->id) {
-      $v->form->edit_user->admin->disabled(1);
-    }
-    print $v;
+    print $this->_get_user_edit_form_admin($user);
   }
 
   public function add_user_to_group($user_id, $group_id) {
@@ -287,18 +279,32 @@ class Admin_Users_Controller extends Admin_Controller {
     $form = new Forge(
       "admin/users/edit_user/$user->id", "", "post", array("id" => "g-edit-user-form"));
     $group = $form->group("edit_user")->label(t("Edit user"));
-    $group->input("name")->label(t("Username"))->id("g-username")->value($user->name);
-    $group->inputs["name"]->error_messages(
-      "conflict", t("There is already a user with that username"));
-    $group->input("full_name")->label(t("Full name"))->id("g-fullname")->value($user->full_name);
-    self::_add_locale_dropdown($group, $user);
-    $group->password("password")->label(t("Password"))->id("g-password");
+    $group->input("name")->label(t("Username"))->id("g-username")->value($user->name)
+      ->error_messages("conflict", t("There is already a user with that username"));
+    $group->input("full_name")->label(t("Full name"))->id("g-fullname")->value($user->full_name)
+      ->error_messages("length", t("This name is too long"));
+    $group->password("password")->label(t("Password"))->id("g-password")
+      ->error_messages("min_length", t("This password is too short"));
+    $group->script("")
+      ->text(
+        '$("form").ready(function(){$(\'input[name="password"]\').user_password_strength();});');
     $group->password("password2")->label(t("Confirm password"))->id("g-password2")
+      ->error_messages("matches", t("The passwords you entered do not match"))
       ->matches($group->password);
-    $group->input("email")->label(t("Email"))->id("g-email")->value($user->email);
-    $group->input("url")->label(t("URL"))->id("g-url")->value($user->url);
+    $group->input("email")->label(t("Email"))->id("g-email")->value($user->email)
+      ->error_messages("required", t("You must enter a valid email address"))
+      ->error_messages("length", t("This email address is too long"))
+      ->error_messages("email", t("You must enter a valid email address"));
+    $group->input("url")->label(t("URL"))->id("g-url")->value($user->url)
+      ->error_messages("url", t("You must enter a valid URL"));
+    self::_add_locale_dropdown($group, $user);
     $group->checkbox("admin")->label(t("Admin"))->id("g-admin")->checked($user->admin);
 
+    // Don't allow the user to control their own admin bit, else you can lock yourself out
+    if ($user->id == identity::active_user()->id) {
+      $group->admin->disabled(1);
+    }
+
     module::event("user_edit_form_admin", $user, $form);
     $group->submit("")->value(t("Modify User"));
     return $form;
@@ -308,13 +314,25 @@ class Admin_Users_Controller extends Admin_Controller {
     $form = new Forge("admin/users/add_user", "", "post", array("id" => "g-add-user-form"));
     $group = $form->group("add_user")->label(t("Add user"));
     $group->input("name")->label(t("Username"))->id("g-username")
+      ->error_messages("required", t("A name is required"))
+      ->error_messages("length", t("This name is too long"))
       ->error_messages("conflict", t("There is already a user with that username"));
-    $group->input("full_name")->label(t("Full name"))->id("g-fullname");
-    $group->password("password")->label(t("Password"))->id("g-password");
+    $group->input("full_name")->label(t("Full name"))->id("g-fullname")
+      ->error_messages("length", t("This name is too long"));
+    $group->password("password")->label(t("Password"))->id("g-password")
+      ->error_messages("min_length", t("This password is too short"));
+    $group->script("")
+      ->text(
+        '$("form").ready(function(){$(\'input[name="password"]\').user_password_strength();});');
     $group->password("password2")->label(t("Confirm password"))->id("g-password2")
+      ->error_messages("matches", t("The passwords you entered do not match"))
       ->matches($group->password);
-    $group->input("email")->label(t("Email"))->id("g-email");
-    $group->input("url")->label(t("URL"))->id("g-url");
+    $group->input("email")->label(t("Email"))->id("g-email")
+      ->error_messages("required", t("You must enter a valid email address"))
+      ->error_messages("length", t("This email address is too long"))
+      ->error_messages("email", t("You must enter a valid email address"));
+    $group->input("url")->label(t("URL"))->id("g-url")
+      ->error_messages("url", t("You must enter a valid URL"));
     self::_add_locale_dropdown($group);
     $group->checkbox("admin")->label(t("Admin"))->id("g-admin");
 
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index d0c67dd1..166ff8b2 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -20,7 +20,6 @@
 class Users_Controller extends Controller {
   public function update($id) {
     $user = user::lookup($id);
-
     if ($user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
@@ -29,9 +28,6 @@ class Users_Controller extends Controller {
     try {
       $valid = $form->validate();
       $user->full_name = $form->edit_user->full_name->value;
-      if ($form->edit_user->password->value) {
-        $user->password = $form->edit_user->password->value;
-      }
       $user->email = $form->edit_user->email->value;
       $user->url = $form->edit_user->url->value;
 
@@ -57,7 +53,7 @@ class Users_Controller extends Controller {
 
       $user->save();
       module::event("user_edit_form_completed", $user, $form);
-      message::success(t("User information updated."));
+      message::success(t("User information updated"));
       print json_encode(
         array("result" => "success",
               "resource" => url::site("users/{$user->id}")));
@@ -66,30 +62,93 @@ class Users_Controller extends Controller {
     }
   }
 
+  public function change_password($id) {
+    $user = user::lookup($id);
+    if ($user->guest || $user->id != identity::active_user()->id) {
+      access::forbidden();
+    }
+
+    $form = $this->_get_change_password_form($user);
+    try {
+      $valid = $form->validate();
+      $user->password = $form->change_password->password->value;
+      $user->validate();
+    } catch (ORM_Validation_Exception $e) {
+      // Translate ORM validation errors into form error messages
+      foreach ($e->validation->errors() as $key => $error) {
+        $form->change_password->inputs[$key]->add_error($error, 1);
+      }
+      $valid = false;
+    }
+
+    if ($valid) {
+      $user->save();
+      module::event("user_change_password_form_completed", $user, $form);
+      message::success(t("Password changed"));
+      module::event("user_password_change", $user);
+      print json_encode(
+        array("result" => "success",
+              "resource" => url::site("users/{$user->id}")));
+    } else {
+      log::warning("user", t("Failed password change for %name", array("name" => $user->name)));
+      $name = $user->name;
+      module::event("user_password_change_failed", $name);
+      print json_encode(array("result" => "error", "form" => (string) $form));
+    }
+  }
+
   public function form_edit($id) {
     $user = user::lookup($id);
     if ($user->guest || $user->id != identity::active_user()->id) {
       access::forbidden();
     }
 
-    $v = new View("user_form.html");
-    $v->form = $this->_get_edit_form($user);
-    print $v;
+    print $this->_get_edit_form($user);
+  }
+
+  public function form_change_password($id) {
+    $user = user::lookup($id);
+    if ($user->guest || $user->id != identity::active_user()->id) {
+      access::forbidden();
+    }
+
+    print $this->_get_change_password_form($user);
+  }
+
+  private function _get_change_password_form($user) {
+    $form = new Forge(
+      "users/change_password/$user->id", "", "post", array("id" => "g-change-password-user-form"));
+    $group = $form->group("change_password")->label(t("Change your password"));
+    $group->password("old_password")->label(t("Old password"))->id("g-password")
+      ->callback("auth::validate_too_many_failed_password_changes")
+      ->callback("user::valid_password")
+      ->error_messages("invalid", t("Incorrect password"))
+      ->error_messages(
+        "too_many_failed_password_changes",
+        t("Too many incorrect passwords.  Try again later"));
+    $group->password("password")->label(t("New password"))->id("g-password")
+      ->error_messages("min_length", t("Your new password is too short"));
+    $group->script("")
+      ->text(
+        '$("form").ready(function(){$(\'input[name="password"]\').user_password_strength();});');
+    $group->password("password2")->label(t("Confirm new password"))->id("g-password2")
+      ->matches($group->password)
+      ->error_messages("matches", t("The passwords you entered do not match"));
+
+    module::event("user_change_password_form", $user, $form);
+    $group->submit("")->value(t("Save"));
+    return $form;
   }
 
   private function _get_edit_form($user) {
     $form = new Forge("users/update/$user->id", "", "post", array("id" => "g-edit-user-form"));
-    $group = $form->group("edit_user")->label(t("Edit User: %name", array("name" => $user->name)));
+    $group = $form->group("edit_user")->label(t("Edit your profile"));
     $group->input("full_name")->label(t("Full Name"))->id("g-fullname")->value($user->full_name)
       ->error_messages("length", t("Your name is too long"));
     self::_add_locale_dropdown($group, $user);
-    $group->password("password")->label(t("Password"))->id("g-password")
-      ->error_messages("min_length", t("Your password is too short"));
-    $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
-      ->matches($group->password)
-      ->error_messages("matches", t("The passwords you entered do not match"));
     $group->input("email")->label(t("Email"))->id("g-email")->value($user->email)
       ->error_messages("email", t("You must enter a valid email address"))
+      ->error_messages("length", t("Your email address is too long"))
       ->error_messages("required", t("You must enter a valid email address"));
     $group->input("url")->label(t("URL"))->id("g-url")->value($user->url);
 
diff --git a/modules/user/helpers/user.php b/modules/user/helpers/user.php
index 3561021f..7ceca6a5 100644
--- a/modules/user/helpers/user.php
+++ b/modules/user/helpers/user.php
@@ -70,6 +70,12 @@ class user_Core {
     return false;
   }
 
+  static function valid_password($password_input) {
+    if (!user::is_correct_password(identity::active_user(), $password_input->value)) {
+      $password_input->add_error("invalid", 1);
+    }
+  }
+
   /**
    * Create the hashed passwords.
    * @param string $password a plaintext password
diff --git a/modules/user/models/user.php b/modules/user/models/user.php
index baac9315..4404ee63 100644
--- a/modules/user/models/user.php
+++ b/modules/user/models/user.php
@@ -122,7 +122,7 @@ class User_Model extends ORM implements User_Definition {
   public function valid_name(Validation $v, $field) {
     if (db::build()->from("users")
         ->where("name", "=", $this->name)
-        ->where("id", "<>", $this->id)
+        ->merge_where($this->id ? array(array("id", "<>", $this->id)) : null)
         ->count_records() == 1) {
       $v->add_error("name", "conflict");
     }
@@ -136,7 +136,7 @@ class User_Model extends ORM implements User_Definition {
       return;
     }
 
-    if (!$this->loaded() || $this->password_length) {
+    if (!$this->loaded() || isset($this->password_length)) {
       $minimum_length = module::get_var("user", "mininum_password_length", 5);
       if ($this->password_length < $minimum_length) {
         $v->add_error("password", "min_length");
diff --git a/modules/user/views/user_form.html.php b/modules/user/views/user_form.html.php
deleted file mode 100644
index 4ce2b532..00000000
--- a/modules/user/views/user_form.html.php
+++ /dev/null
@@ -1,7 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<script type="text/javascript">
-  $("form").ready(function(){
-    $('input[name="password"]').user_password_strength();
-  });
-</script>
-<?= $form ?>