public function loginform_do_reset($form)
{
$name = $form->habari_username->value;
if (empty($name)) {
Session::error(_t('You must supply a username to reset its password.'));
} else {
if (!is_numeric($name) && ($user = User::get($name))) {
$hash = Utils::random_password();
$user->info->password_reset = md5($hash);
$user->info->commit();
$message = _t('Please visit %1$s to reset your password.', array(URL::get('auth', array('page' => 'password_reset', 'id' => $user->id, 'hash' => $hash))));
Utils::mail($user->email, _t('[%1$s] Password reset request for %2$s', array(Options::get('title'), $user->displayname)), $message);
}
// Moving this inside the check for user existence would allow attackers to test usernames, so don't
Session::notice(_t('A password reset request has been sent to the user.'));
}
}