1 user.pages.inc user_pass_validate($form, &$form_state)

Form validation handler for user_pass().

See also



core/modules/user/user.pages.inc, line 82
User page callback file for the user module.


function user_pass_validate($form, &$form_state) {
  $config = config('user.flood');

  // Do not allow any password reset from the current IP if the limit has been
  // reached.
  if (!flood_is_allowed('pass_reset_ip', $config->get('flood_ip_limit'), $config->get('flood_ip_window'))) {
    form_set_error('name', t('Sorry, too many password reset attempts from your IP address. Try again later.'));
  // Always register a per-IP event.
  flood_register_event('pass_reset_ip', $config->get('flood_ip_window'));

  $name = trim($form_state['values']['name']);
  // Try to load by email.
  $users = user_load_multiple(array(), array('mail' => $name, 'status' => '1'));
  $account = reset($users);
  if (!$account) {
    // No success, try to load by name.
    $users = user_load_multiple(array(), array('name' => $name, 'status' => '1'));
    $account = reset($users);
  if (isset($account->uid)) {
    // Register user flood events based on the uid only, so they can be cleared
    // when a password is reset successfully.
    $identifier = $account->uid;
    // Don't allow password reset if the limit for this user has been reached.
    // Default is to allow 5 passwords resets every 6 hours.
    if (!flood_is_allowed('pass_reset_user', $config->get('flood_user_limit'), $config->get('flood_user_window'), $identifier)) {
      form_set_error('name', t('Sorry, too many password reset attempts for this account. Try again later.'));
    // Register a per-user event.
    flood_register_event('pass_reset_user', $config->get('flood_user_window'), $identifier);

    form_set_value(array('#parents' => array('account')), $account, $form_state);
  else {
    form_set_error('name', t('Sorry, %name is not recognized as a user name or an email address.', array('%name' => $name)));