<?php
  require('global-php.php');
  header('Content-type: text/xml; charset=utf-8');
  $verbindung = database_connection(
  	      "<status>" . $lang_database_failure[$language] . "</status>");
  $PHP_AUTH_USER = $_SERVER["PHP_AUTH_USER"];
  $PHP_AUTH_PW = $_SERVER["PHP_AUTH_PW"];
  $ergebnis = db_exec($verbindung,
			"SELECT * FROM staff_authorization,superuser,"
					. "capability "
				. "WHERE superuser.account"
				. "=staff_authorization.id "
				. "AND superuser.capability=capability.id "
				. "AND capability.name='users' "
				. "AND "
				. login_query_clauses(
					$PHP_AUTH_USER,
					$PHP_AUTH_PW)
				. ";");
  if (pg_numrows($ergebnis) < 1) {
    header('WWW-Authenticate: Basic realm="Kursverwaltung"');
    header("HTTP/1.0 401 Unauthorized");
    echo '<status>' . $lang_authentication_failure[$language] . '</status>';
    db_close($verbindung);
    exit;
  }
  $account = intval($_REQUEST["account"]);
  $passwort = pg_escape_string($_REQUEST["passwort"]);
  $passwort_gleich = pg_escape_string($_REQUEST["passwort_gleich"]);
  $salt = generated_password(64);
  $ergebnis = db_exec($verbindung, "SELECT hashed_password "
  					. "FROM staff_authorization "
					. "WHERE id=$account;");
  $old_hash = pg_result($ergebnis,0,0);
  db_exec($verbindung, "UPDATE staff_authorization "
  			. "SET salt='$salt',"
			. "hashed_password=md5('$salt'||'$passwort') "
			. "WHERE id=$account "
			. "AND '$passwort'='$passwort_gleich';");
  $ergebnis = db_exec($verbindung, "SELECT hashed_password "
  					. "FROM staff_authorization "
					. "WHERE id=$account;");
  $new_hash = pg_result($ergebnis,0,0);
  if ($old_hash == $new_hash) {
?>
<status><?=$lang_password_not_set[$language]?></status>
<?php
  } else {
    $ergebnis = db_exec($verbindung, "SELECT name "
    					. "FROM staff_authorization "
					. "WHERE id=$account;");
    print("<status>" . lang_password_set($language,pg_result($ergebnis,0,0))
			. "</status>");
  }
  db_close($verbindung);
?>