From fbd90fa46081cb5a7208dfff83041927f7759b9f Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 12 Feb 2016 20:20:12 +0100
Subject: fixes #414, deactivate auth keys on password change

---
 include/functions_user.inc.php     | 18 ++++++++++++++++++
 include/ws_functions/pwg.users.php |  5 +++++
 password.php                       |  2 ++
 profile.php                        |  2 ++
 4 files changed, 27 insertions(+)

diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 2591929b4..66c08d5db 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1596,4 +1596,22 @@ SELECT
     return create_user_auth_key($user_id, $user_status);
   }
 }
+
+/**
+ * Deletes authentication keys
+ *
+ * @since 2.8
+ * @param int $user_id
+ * @return null
+ */
+function deactivate_user_auth_keys($user_id)
+{
+  $query = '
+UPDATE '.USER_AUTH_KEYS_TABLE.'
+  SET expired_on = NOW()
+  WHERE user_id = '.$user_id.'
+    AND expired_on > NOW()
+;';
+  pwg_query($query);
+}
 ?>
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index f8fe51c2a..eaa96c9c1 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -552,6 +552,11 @@ SELECT
     array($conf['user_fields']['id'] => $params['user_id'][0])
     );
 
+  if (isset($updates[ $conf['user_fields']['password'] ]))
+  {
+    deactivate_user_auth_keys($params['user_id'][0]);
+  }
+
   if (isset($update_status) and count($params['user_id_for_status']) > 0)
   {
     $query = '
diff --git a/password.php b/password.php
index 4e03079a7..5a96ea1bc 100644
--- a/password.php
+++ b/password.php
@@ -260,6 +260,8 @@ function reset_password()
     array('user_id' => $user_id)
     );
 
+  deactivate_user_auth_keys($user_id);
+
   $page['infos'][] = l10n('Your password has been reset');
   $page['infos'][] = '<a href="'.get_root_url().'identification.php">'.l10n('Login').'</a>';
 
diff --git a/profile.php b/profile.php
index b143cbf54..3f60fde1b 100644
--- a/profile.php
+++ b/profile.php
@@ -207,6 +207,8 @@ function save_profile_from_post($userdata, &$errors)
         $fields[] = $conf['user_fields']['password'];
         // password is hashed with function $conf['password_hash']
         $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']);
+
+        deactivate_user_auth_keys($userdata['id']);
       }
       
       // username is updated only if allowed
-- 
cgit v1.2.3