Switch to profile-based password recovery.

docs/changelog/7.x.x.txt

@@ -42,6 +42,8 @@
  - fix: IP addresses for adminModeSubnets not using X-Forwarded-For properly
  - The Events Calendar is now the new Calendar with some fun new features.
    All your existing Events Calendars will be migrated automatically. 
+ - Major change: password recovery is now based on profile fields rather than
+   email account access
    *** PLEASE READ THE GOTCHAS ***
 
 7.2.3

docs/gotcha.txt

@@ -14,6 +14,16 @@ save you many hours of grief.
    running the entire test suite prior to SVN commits easier to do
    since it won't take so long.
 
+ * Password recovery has been redone.  It is now based on profile fields
+   rather than email access.  Since there's no real way to migrate the
+   latter to one to the other, this upgrade disables password recovery;
+   before enabling it again, use the profile fields editor to set certain
+   fields as required for password recovery.  Then any user who enters all
+   of those fields correctly can recover their password.  The template
+   variables are also different, so if you have a custom password recovery
+   template, you will have to update it.  See the new default password
+   recovery template for an example of how to use the new variables.
+
 7.2.0
 --------------------------------------------------------------------
  * NOTE: if you tried to upgrade to 7.2.0 and it failed during the

docs/upgrades/templates-7.3.0/default-password-recovery-template.tmpl

@@ -0,0 +1,47 @@
+#PBtmpl0000000000000014
+#namespace:Auth/WebGUI/Recovery2
+<h2><tmpl_var title></h2>
+
+<tmpl_if recoverMessage><tmpl_var recoverMessage></tmpl_if>
+
+<tmpl_var recoverFormHeader>
+<tmpl_var recoverFormHidden>
+<table>
+<tmpl_if doingRecovery>
+<tr>
+	<td class="formDescription" valign="top"><tmpl_var recoverFormPasswordLabel></td>
+	<td class="tableData"><tmpl_var recoverFormPassword></td>
+</tr>
+<tr>
+	<td class="formDescription" valign="top"><tmpl_var recoverFormPasswordConfirmLabel></td>
+	<td class="tableData"><tmpl_var recoverFormPasswordConfirm></td>
+</tr>
+<tmpl_else>
+<tmpl_if recoverFormUsername>
+<tr>
+	<td class="formDescription" valign="top"><tmpl_var recoverFormUsernameLabel></td>
+	<td class="tableData"><tmpl_var recoverFormUsername></td>
+</tr>
+</tmpl_if>
+<tmpl_loop recoverFormProfile>
+<tr>
+	<td class="formDescription" valign="top"><tmpl_var label></td>
+	<td class="tableData"><tmpl_var formElement></td>
+</tr>
+</tmpl_loop>
+</tmpl_if>
+<tr>
+	<td class="formDescription" valign="top"></td>
+	<td class="tableData"><tmpl_var recoverFormSubmit></td>
+</tr>
+</table>
+<tmpl_var recoverFormFooter>
+
+<div class="accountOptions">
+	<ul>
+		<tmpl_if anonymousRegistrationIsAllowed>
+			<li><a href="<tmpl_var createAccountUrl>"><tmpl_var createAccountLabel></a></li>
+		</tmpl_if>
+		<li><a href="<tmpl_var loginUrl>"><tmpl_var loginLabel></a></li>
+      	</ul>
+</div>

docs/upgrades/upgrade_7.2.3-7.3.0.pl

@@ -23,6 +23,7 @@ addWikiAssets($session);
 deleteOldFiles($session);
 addFileFieldsToDataForm($session);
 makeRSSFromParentAlwaysHidden($session);
+addProfileFieldsOnPasswordRecovery($session);
 addNewCalendar($session);
 migrateCalendars($session);
 removeOldCalendar($session);
@@ -278,6 +279,20 @@ sub removeOldCalendar {
 	$session->config->deleteFromArray("assets","WebGUI::Asset::Wobject::EventsCalendar");
 }
 
+#-------------------------------------------------
+sub addProfileFieldsOnPasswordRecovery {
+	my $session = shift;
+	print "\tAdding requiredForPasswordRecovery to userProfileField rows.\n" unless $quiet;
+	$session->db->write($_) for(<<'EOT',
+  ALTER TABLE userProfileField
+   ADD COLUMN requiredForPasswordRecovery int(11) NOT NULL default '0'
+EOT
+				   );
+
+	$session->setting->set('webguiPasswordRecovery', 0);
+	$session->setting->add('webguiPasswordRecoveryRequireUsername', 1);
+	$session->setting->set('webguiPasswordRecoveryTemplate', 'PBtmpl0000000000000014');
+}
 
 # ---- DO NOT EDIT BELOW THIS LINE ----