Fixes to improve the password recovery process. There is now a

confirmation step required before the password is changed and sent.

Also, many of the email texts have been cleaned up.

TRANSLATORS:  check your texts in moodle.php starting with "email.."

lang/en/moodle.php

@@ -151,8 +151,7 @@ $string['emailconfirmation'] = "Hi \$a->firstname,
 A new account has been requested at '\$a->sitename'
 using your email address.
 
-To confirm your new account, please go to the
-following web address:
+To confirm your new account, please go to this web address:
 
   \$a->link
 
@@ -161,15 +160,40 @@ which you can just click on.  If that doesn't work,
 then cut and paste the address into the address
 line at the top of your web browser window.
 
-Cheers from the '\$a->sitename' administrator,
+If you need help, please contact the site administrator,
 \$a->admin";
-
+$string['emailconfirmationsubject'] = "\$a: account confirmation";
 $string['emaildisplay'] = "Email display";
 $string['emaildisplayno'] = "Hide my real email address from everyone";
 $string['emaildisplayyes'] = "Allow everyone to see my email address";
 $string['emaildisplaycourse'] = "Allow only other course members to see my email address";
 $string['emailexists'] = "This email address is already registered.";
 $string['emailmustbereal'] = "Note: your email address must be a real one";
+$string['emailpasswordconfirmation'] = "Hi \$a->firstname,
+
+Someone (probably you) has requested a new password for your 
+account on '\$a->sitename'.
+
+To confirm this and have a new password sent to you via email,
+go to the following web address:
+
+  \$a->link
+
+In most mail programs, this should appear as a blue link
+which you can just click on.  If that doesn't work,
+then cut and paste the address into the address
+line at the top of your web browser window.
+
+If you need help, please contact the site administrator,
+\$a->admin";
+$string['emailpasswordconfirmationsubject'] = "\$a: change password confirmation";
+$string['emailpasswordconfirmsent'] = "An email should have been sent to your address at <b>\$a</b>.
+<p>It contains easy instructions to confirm and complete this password change.
+If you continue to have difficulty, contact the site administrator.";
+$string['emailpasswordsent'] = "Thank you for confirming the change of password.
+<p>An email containing your new password has been sent to your address at <b>\$a->email</b>.
+<p>The new password was automatically generated - you might like to
+<a href=\$a->link>change your password</a> to something easier to remember.";
 $string['enrolmentkey'] = "Enrolment key";
 $string['enrolmentkeyfrom'] = "This course requires an 'enrolment key' - a one-time<BR>
 password that you should have got from \$a";
@@ -431,6 +455,7 @@ $string['outline'] = "Outline";
 $string['participants'] = "Participants";
 $string['password'] = "Password";
 $string['passwordchanged'] = "Password has been changed";
+$string['passwordconfirmchange'] = "Confirm password change";
 $string['passwordsdiffer'] = "These passwords do not match";
 $string['passwordrecovery'] = "Yes, help me log in";
 $string['passwordsent'] = "Password has been sent";

lib/moodlelib.php

@@ -771,12 +771,32 @@ function send_confirmation_email($user) {
     $data->admin = "$from->firstname $from->lastname ($from->email)";
 
     $message = get_string("emailconfirmation", "", $data);
-    $subject = "$site->fullname account confirmation";
+    $subject = get_string("emailconfirmationsubject", "", $site->fullname);
 
     return email_to_user($user, $from, $subject, $message);
 
 }
 
+function send_password_change_confirmation_email($user) {
+
+    global $CFG;
+
+    $site = get_site();
+    $from = get_admin();
+
+    $data->firstname = $user->firstname;
+    $data->sitename = $site->fullname;
+    $data->link = "$CFG->wwwroot/login/forgot_password.php?p=$user->secret&s=$user->username";
+    $data->admin = "$from->firstname $from->lastname ($from->email)";
+
+    $message = get_string("emailpasswordconfirmation", "", $data);
+    $subject = get_string("emailpasswordconfirmationsubject", "", $site->fullname);
+
+    return email_to_user($user, $from, $subject, $message);
+
+}
+
+
 
 
 /// FILE HANDLING  /////////////////////////////////////////////

lib/weblib.php

@@ -715,7 +715,7 @@ function print_navigation ($navigation) {
        if (! $site = get_site()) {
            $site->shortname = get_string("home");;
        }
-       echo "<A TARGET=\"{$CFG->framename}\" HREF=\"$CFG->wwwroot/\">$site->shortname</A> -> $navigation";
+       echo "<a target=\"{$CFG->framename}\" href=\"$CFG->wwwroot/\">$site->shortname</a> -> $navigation";
    }
 }
 
@@ -725,9 +725,9 @@ function print_heading($text, $align="CENTER", $size=3) {
 
 function print_heading_with_help($text, $helppage, $module="moodle") {
 // Centered heading with attached help button (same title text)
-    echo "<P ALIGN=\"CENTER\"><FONT SIZE=\"3\"><B>".stripslashes_safe($text);
+    echo "<p align=\"center\"><font size=\"3\"><b>".stripslashes_safe($text);
     helpbutton($helppage, $text, $module);
-    echo "</B></FONT></P>";
+    echo "</b></font></p>";
 }
     
 function print_continue($link) {
@@ -736,7 +736,7 @@ function print_continue($link) {
         $link = $_SERVER["HTTP_REFERER"];
     }
 
-    print_heading("<A HREF=\"$link\">".get_string("continue")."</A>");
+    print_heading("<a href=\"$link\">".get_string("continue")."</a>");
 }
 
 
@@ -1158,9 +1158,9 @@ function notice ($message, $link="") {
         }
     }
 
-    echo "<BR>";
-    print_simple_box($message, "center", "", "$THEME->cellheading");
-    print_heading("<A HREF=\"$link\">".get_string("continue")."</A>");
+    echo "<br>";
+    print_simple_box($message, "center", "50%", "$THEME->cellheading", "", "noticebox");
+    print_heading("<a href=\"$link\">".get_string("continue")."</a>");
     print_footer(get_site());
     die;
 }
@@ -1168,13 +1168,13 @@ function notice ($message, $link="") {
 function notice_yesno ($message, $linkyes, $linkno) {
     global $THEME;
 
-    print_simple_box_start("center", "", "$THEME->cellheading");
-    echo "<P ALIGN=CENTER><FONT SIZE=3>$message</FONT></P>";
-    echo "<P ALIGN=CENTER><FONT SIZE=3><B>";
-    echo "<A HREF=\"$linkyes\">".get_string("yes")."</A>";
+    print_simple_box_start("center", "60%", "$THEME->cellheading");
+    echo "<p align=center><font size=3>$message</font></p>";
+    echo "<p align=center><font size=3><b>";
+    echo "<a href=\"$linkyes\">".get_string("yes")."</a>";
     echo "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
-    echo "<A HREF=\"$linkno\">".get_string("no")."</A>";
-    echo "</B></FONT></P>";
+    echo "<a href=\"$linkno\">".get_string("no")."</a>";
+    echo "</b></font></p>";
     print_simple_box_end();
 }
 

login/forgot_password.php

@@ -2,36 +2,62 @@
 
 	require_once("../config.php");
 
-	if ($frm = data_submitted()) {
+    optional_variable($p, "");
+    optional_variable($s, "");
 
-		validate_form($frm, $err);
+    if (!empty($p) and !empty($s)) {  // User trying to authenticate change password routine
 
 		update_login_count();
 
+        $user = get_user_info_from_db("username", "$s");
+
+        if (!empty($user)) {
+            if ($user->secret == $p) {   // They have provided the secret key to get in
+
+                if (isguest($user->id)) {
+                    error("Can't change guest password!");
+                }
+    
+			    if (! reset_password_and_mail($user)) {
+                    error("Could not reset password and mail the new one to you");
+                }
+    
+			    reset_login_count();
+
+	            print_header(get_string("passwordsent"), get_string("passwordsent"), get_string("passwordsent"));
+
+                $a->email = $user->email;
+                $a->link = "$CFG->wwwroot/login/change_password.php";
+                notice(get_string("emailpasswordsent", "", $a), $a->link);
+            }
+        }
+        error(get_string("error"));
+    }
+
+	if ($frm = data_submitted()) {    // Initial request for new password
+
+		validate_form($frm, $err);
+
 		if (count((array)$err) == 0) {
 
 			if (!$user = get_user_info_from_db("email", $frm->email)) {
                 error("No such user with this address:  $frm->email");
             }
-
-            if (isguest($user->id)) {
-                error("Can't change guest password!");
+            
+            $user->secret = random_string(15);
+            
+			if (!set_field("user", "secret", $user->secret, "id", $user->id)) {
+                error("Could not set user secret string!");
             }
 
-			if (! reset_password_and_mail($user)) {
-                error("Could not reset password and mail the new one to you");
+            if (! send_password_change_confirmation_email($user)) {
+                error("Could not send you an email to confirm the password change");
             }
 
-			reset_login_count();
-	        print_header(get_string("passwordsent"), get_string("passwordsent"), get_string("passwordsent"));
-            echo "<CENTER>";
-            $a->email = $frm->email;
-            $a->link = "$CFG->wwwroot/login/change_password.php";
-	        print_string("passwordsenttext", "", $a);
-            echo "</CENTER>";
-            print_footer();
-			exit;
-		}
+	        print_header(get_string("passwordconfirmchange"), get_string("passwordconfirmchange"));
+            
+            notice(get_string('emailpasswordconfirmsent', '', $user->email), $CFG->wwwroot);
+        }
 	}
 
 	if (empty($frm->email)) {

login/signup.php

@@ -5,8 +5,10 @@
     require_once("../auth/$CFG->auth/lib.php");
 
     if ($user = data_submitted()) {
+
         validate_form($user, $err);
         $user->username= trim(moodle_strtolower($user->username));
+
         if (count((array)$err) == 0) {
             $plainpass = $user->password;
             $user->password = md5($user->password);
@@ -28,8 +30,6 @@
                 error("Could not add your record to the database!");
             }
 
-           
-
             if (! send_confirmation_email($user)) {
                 error("Tried to send you an email but failed!");
             }