/**
 * Reset the user's password
 *  Take into account the 'send_reset_password' setting
 *   - if it is ON, generate a random password and send an email
 *      (unless the second parameter is false)
 *   - if it is OFF, set the password to blank
 *  Return false if the user is protected, true if the password was
 *   successfully reset
 *
 * @param integer $p_user_id    A valid user identifier.
 * @param boolean $p_send_email Whether to send confirmation email.
 * @return boolean
 */
function user_reset_password($p_user_id, $p_send_email = true)
{
    $t_protected = user_get_field($p_user_id, 'protected');
    # Go with random password and email it to the user
    if (ON == $t_protected) {
        return false;
    }
    # @@@ do we want to force blank password instead of random if
    #      email notifications are turned off?
    #     How would we indicate that we had done this with a return value?
    #     Should we just have two functions? (user_reset_password_random()
    #     and user_reset_password() )?
    if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) {
        $t_email = user_get_field($p_user_id, 'email');
        if (is_blank($t_email)) {
            trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR);
        }
        # Create random password
        $t_password = auth_generate_random_password();
        $t_password2 = auth_process_plain_password($t_password);
        user_set_field($p_user_id, 'password', $t_password2);
        # Send notification email
        if ($p_send_email) {
            $t_confirm_hash = auth_generate_confirm_hash($p_user_id);
            email_send_confirm_hash_url($p_user_id, $t_confirm_hash);
        }
    } else {
        # use blank password, no emailing
        $t_password = auth_process_plain_password('');
        user_set_field($p_user_id, 'password', $t_password);
        # reset the failed login count because in this mode there is no emailing
        user_reset_failed_login_count_to_zero($p_user_id);
    }
    return true;
}

	OFF == config_get( 'send_reset_password' ) ) {
	trigger_error( ERROR_LOST_PASSWORD_NOT_ENABLED, ERROR );
}

$f_user_id = gpc_get_string('id');
$f_confirm_hash = gpc_get_string('confirm_hash');

# force logout on the current user if already authenticated
if( auth_is_user_authenticated() ) {
	auth_logout();

	# reload the page after logout
	print_header_redirect( "verify.php?id=$f_user_id&confirm_hash=$f_confirm_hash" );
}

$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id );

if ( $f_confirm_hash != $t_calculated_confirm_hash ) {
	trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}

# set a temporary cookie so the login information is passed between pages.
auth_set_cookies( $f_user_id, false );

user_reset_failed_login_count_to_zero( $f_user_id );
user_reset_lost_password_in_progress_count_to_zero( $f_user_id );

# fake login so the user can set their password
auth_attempt_script_login( user_get_field( $f_user_id, 'username' ) );

user_increment_failed_login_count( $f_user_id );

$result = db_query_bound($query, array($f_username, $f_email, true));
if (0 == db_num_rows($result)) {
    trigger_error(ERROR_LOST_PASSWORD_NOT_MATCHING_DATA, ERROR);
}
if (is_blank($f_email)) {
    trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR);
}
$row = db_fetch_array($result);
$t_user_id = $row['id'];
if (user_is_protected($t_user_id)) {
    trigger_error(ERROR_PROTECTED_ACCOUNT, ERROR);
}
if (!user_is_lost_password_request_allowed($t_user_id)) {
    trigger_error(ERROR_LOST_PASSWORD_MAX_IN_PROGRESS_ATTEMPTS_REACHED, ERROR);
}
$t_confirm_hash = auth_generate_confirm_hash($t_user_id);
email_send_confirm_hash_url($t_user_id, $t_confirm_hash);
user_increment_lost_password_in_progress_count($t_user_id);
form_security_purge('lost_pwd');
$t_redirect_url = 'login_page.php';
html_page_top();
?>

<br />
<div>
<table class="width50" cellspacing="1">
<tr>
	<td class="center">
		<strong><?php 
echo lang_get('lost_password_done_title');
?>