uid) { // The existing user is already logged in. if ($user->uid == $uid) { drupal_set_message(t('You are logged in as %user. Change your password.', array('%user' => $user->name, '!user_edit' => url("user/$user->uid/edit")))); } // A different user is already logged in on the computer. else { $reset_link_account = user_load($uid); if (!empty($reset_link_account)) { drupal_set_message(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please logout and try using the link again.', array('%other_user' => $user->name, '%resetting_user' => $reset_link_account->name, '!logout' => url('user/logout')))); } else { // Invalid one-time link specifies an unknown user. drupal_set_message(t('The one-time login link you clicked is invalid.')); } } drupal_goto(); } else { // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds. $timeout = 86400; $current = REQUEST_TIME; // Some redundant checks for extra security ? $users = user_load_multiple(array($uid), array('status' => '0')); if ($timestamp <= $current && $account = reset($users)) { // No time out for first time login. if ($account->login && $current - $timestamp > $timeout) { drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.')); drupal_goto('user/password'); } elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) { watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); // Activate the user. $account = user_save($account, array('status' => 1)); // Set the new user. $user = $account; // user_login_finalize() also updates the login timestamp of the // user, which invalidates further use of the one-time login link. user_login_finalize(); drupal_set_message(t('You have just used your one-time login link. Your account is now active.')); drupal_goto('user'); } else { drupal_set_message(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.')); drupal_goto('user/password'); } } else { // Deny access, no more clues. // Everything will be in the watchdog's URL for the administrator to check. drupal_access_denied(); } } }