######################################################################
#
#  Confirm Password or Email Change
#
######################################################################
#
#
# Copyright 2000-2008 University of Southampton. All Rights Reserved.
# 
#  This file is part of GNU EPrints 3.
#  
#  Copyright (c) 2000-2008 University of Southampton, UK. SO17 1BJ.
#  
#  EPrints 3 is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#  
#  EPrints 3 is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#  
#  You should have received a copy of the GNU General Public License
#  along with EPrints 3; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
######################################################################

use EPrints;

use strict;

my $session = new EPrints::Session;
exit( 0 ) unless( defined $session );

my( $title, $page ) = make_confirm_page( $session );

$session->build_page( $title, $page, "confirm" );
$session->send_page();
$session->terminate();


sub make_confirm_page
{
	my( $session ) = @_;

	my $page = $session->make_doc_fragment;

	my $user_ds = $session->get_repository->get_dataset( "user" );

	if( !$session->have_parameters() )
	{
		$page->appendChild( $session->html_phrase( "general:bad_param" ) );
		return( $session->html_phrase( "cgi/confirm:err_title" ) , $page );
	}

	# Process the form.
	my $userid = $session->param( "userid" )+0;
	my $pin = $session->param( "pin" );

	my $user = new EPrints::User( $session, $userid );

	if( !defined $user )
	{
		$page->appendChild( $session->html_phrase( "cgi/confirm:bad_user" ) );
		return( $session->html_phrase( "cgi/confirm:err_title" ) , $page );
	}

	my $userpin = $user->get_value( "pin" );
	my $pinsettime = $user->get_value( "pinsettime" );
	my $delta = (time - $pinsettime);

	if( !defined $userpin )
	{
		$page->appendChild( $session->html_phrase( "cgi/confirm:no_pin" ) );
		return( $session->html_phrase( "cgi/confirm:err_title" ) , $page );
	}
	if( $userpin ne $pin)
	{
		$page->appendChild( $session->html_phrase( "cgi/confirm:pin_mismatch" ) );
		return( $session->html_phrase( "cgi/confirm:err_title" ) , $page );
	}
	my $maxdelta = $session->get_repository->get_conf( "pin_timeout" );
	if( ( $maxdelta != 0 ) && ( $maxdelta * 60 * 60 < $delta ) )
	{
		$page->appendChild( $session->html_phrase( "cgi/confirm:pin_timeout" ) );
		return( $session->html_phrase( "cgi/confirm:err_title" ) , $page );
	}

	# Only ONE of these should be set, as the two set_* scripts should zero the
	# other value when they set theirs.

	# This script hacks the SQL directly, as normally "secret" fields are not
	# accessable to eprints. 
	
	if( $user->is_set( "newemail" ) )
	{
		$page->appendChild( $session->html_phrase( 
			"cgi/confirm:set_email",
			newemail=>$session->make_text( $user->get_value( "newemail" ) ) ) );
		# check no one else has this email! cjg
		$user->set_value( "email", $user->get_value( "newemail" ) );
		$user->set_value( "newemail", undef );
		$user->set_value( "pin", undef );
		if( $user->has_priv( "lock-username-to-email" ) )# cjg change to new system
		{
			# shim the username in the current user object
			$user->set_value( "username", $user->get_value( "email" ) );
		}
		# write the changes
		$user->commit();
	} 
	else
	{
		# Must be password then. Can't see it 'cus it's a "secret".
		$session->get_database->_update_quoted(
			$user_ds->get_sql_table_name,
			["userid"],
			[$session->get_database->quote_value($userid)],
			["password","newpassword","pin"],
			[$session->get_database->quote_identifier("newpassword"),"NULL","NULL"],
		);
		$page->appendChild( $session->html_phrase( "cgi/confirm:set_password" ) );
		$session->login( $user );
	}

	$page->appendChild( $session->html_phrase( "cgi/confirm:username",
		username => $user->render_value( "username" ) ) );

	$page->appendChild( $session->html_phrase( "cgi/confirm:go_login" ) );

	return( $session->html_phrase( "cgi/confirm:title" ) , $page );
}

