/**
  * Change the password
  *
  * @param array $data The user submitted data
  * @return HTTPResponse
  */
 public function doChangePassword(array $data)
 {
     if ($member = Member::currentUser()) {
         // The user was logged in, check the current password
         if (empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->valid()) {
             $this->clearMessage();
             $this->sessionMessage(_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad");
             // redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
             return $this->controller->redirect($this->controller->Link('changepassword'));
         }
     }
     if (!$member) {
         if (Session::get('AutoLoginHash')) {
             $member = Member::member_from_autologinhash(Session::get('AutoLoginHash'));
         }
         // The user is not logged in and no valid auto login hash is available
         if (!$member) {
             Session::clear('AutoLoginHash');
             return $this->controller->redirect($this->controller->Link('login'));
         }
     }
     // Check the new password
     if (empty($data['NewPassword1'])) {
         $this->clearMessage();
         $this->sessionMessage(_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad");
         // redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
         return $this->controller->redirect($this->controller->Link('changepassword'));
     } else {
         if ($data['NewPassword1'] == $data['NewPassword2']) {
             $isValid = $member->changePassword($data['NewPassword1']);
             if ($isValid->valid()) {
                 // Clear locked out status
                 $member->LockedOutUntil = null;
                 $member->FailedLoginCount = null;
                 $member->write();
                 if ($member->canLogIn()->valid()) {
                     $member->logIn();
                 }
                 // TODO Add confirmation message to login redirect
                 Session::clear('AutoLoginHash');
                 if (!empty($_REQUEST['BackURL']) && Director::is_site_url($_REQUEST['BackURL'])) {
                     $url = Director::absoluteURL($_REQUEST['BackURL']);
                     return $this->controller->redirect($url);
                 } else {
                     // Redirect to default location - the login form saying "You are logged in as..."
                     $redirectURL = HTTP::setGetVar('BackURL', Director::absoluteBaseURL(), $this->controller->Link('login'));
                     return $this->controller->redirect($redirectURL);
                 }
             } else {
                 $this->clearMessage();
                 $this->sessionMessage(_t('Member.INVALIDNEWPASSWORD', "We couldn't accept that password: {password}", array('password' => nl2br("\n" . Convert::raw2xml($isValid->starredList())))), "bad", false);
                 // redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
                 return $this->controller->redirect($this->controller->Link('changepassword'));
             }
         } else {
             $this->clearMessage();
             $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad");
             // redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
             return $this->controller->redirect($this->controller->Link('changepassword'));
         }
     }
 }
 /**
  * Returns the appropriate response up the controller chain
  * if {@link validate()} fails (which is checked prior to executing any form actions).
  * By default, returns different views for ajax/non-ajax request, and
  * handles 'application/json' requests with a JSON object containing the error messages.
  * Behaviour can be influenced by setting {@link $redirectToFormOnValidationError},
  * and can be overruled by setting {@link $validationResponseCallback}.
  *
  * @return HTTPResponse|string
  */
 protected function getValidationErrorResponse()
 {
     $callback = $this->getValidationResponseCallback();
     if ($callback && ($callbackResponse = $callback())) {
         return $callbackResponse;
     }
     $request = $this->getRequest();
     if ($request->isAjax()) {
         // Special case for legacy Validator.js implementation
         // (assumes eval'ed javascript collected through FormResponse)
         $acceptType = $request->getHeader('Accept');
         if (strpos($acceptType, 'application/json') !== FALSE) {
             // Send validation errors back as JSON with a flag at the start
             $response = new HTTPResponse(Convert::array2json($this->validator->getErrors()));
             $response->addHeader('Content-Type', 'application/json');
         } else {
             $this->setupFormErrors();
             // Send the newly rendered form tag as HTML
             $response = new HTTPResponse($this->forTemplate());
             $response->addHeader('Content-Type', 'text/html');
         }
         return $response;
     } else {
         if ($this->getRedirectToFormOnValidationError()) {
             if ($pageURL = $request->getHeader('Referer')) {
                 if (Director::is_site_url($pageURL)) {
                     // Remove existing pragmas
                     $pageURL = preg_replace('/(#.*)/', '', $pageURL);
                     $pageURL = Director::absoluteURL($pageURL, true);
                     return $this->controller->redirect($pageURL . '#' . $this->FormName());
                 }
             }
         }
         return $this->controller->redirectBack();
     }
 }
 /**
  * Gets the url to return to after build
  *
  * @return string|null
  */
 protected function getReturnURL()
 {
     $url = $this->request->getVar('returnURL');
     // Check that this url is a site url
     if (empty($url) || !Director::is_site_url($url)) {
         return null;
     }
     // Convert to absolute URL
     return Director::absoluteURL($url, true);
 }
 /**
  * Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".
  * This variable is needed in scenarios where HTTP-Referer is not sent (e.g when calling a page by
  * location.href in IE). If none of the two variables is available, it will redirect to the base
  * URL (see {@link Director::baseURL()}).
  *
  * @uses redirect()
  *
  * @return bool|HTTPResponse
  */
 public function redirectBack()
 {
     // Don't cache the redirect back ever
     HTTP::set_cache_age(0);
     $url = null;
     // In edge-cases, this will be called outside of a handleRequest() context; in that case,
     // redirect to the homepage - don't break into the global state at this stage because we'll
     // be calling from a test context or something else where the global state is inappropraite
     if ($this->getRequest()) {
         if ($this->getRequest()->requestVar('BackURL')) {
             $url = $this->getRequest()->requestVar('BackURL');
         } else {
             if ($this->getRequest()->isAjax() && $this->getRequest()->getHeader('X-Backurl')) {
                 $url = $this->getRequest()->getHeader('X-Backurl');
             } else {
                 if ($this->getRequest()->getHeader('Referer')) {
                     $url = $this->getRequest()->getHeader('Referer');
                 }
             }
         }
     }
     if (!$url) {
         $url = Director::baseURL();
     }
     // absolute redirection URLs not located on this site may cause phishing
     if (Director::is_site_url($url)) {
         $url = Director::absoluteURL($url, true);
         return $this->redirect($url);
     } else {
         return false;
     }
 }
 /**
  * Login in the user and figure out where to redirect the browser.
  *
  * The $data has this format
  * array(
  *   'AuthenticationMethod' => 'MemberAuthenticator',
  *   'Email' => '*****@*****.**',
  *   'Password' => '1nitialPassword',
  *   'BackURL' => 'test/link',
  *   [Optional: 'Remember' => 1 ]
  * )
  *
  * @param array $data
  * @return HTTPResponse
  */
 protected function logInUserAndRedirect($data)
 {
     Session::clear('SessionForms.MemberLoginForm.Email');
     Session::clear('SessionForms.MemberLoginForm.Remember');
     if (Member::currentUser()->isPasswordExpired()) {
         if (isset($_REQUEST['BackURL']) && ($backURL = $_REQUEST['BackURL'])) {
             Session::set('BackURL', $backURL);
         }
         /** @skipUpgrade */
         $cp = ChangePasswordForm::create($this->controller, 'ChangePasswordForm');
         $cp->sessionMessage(_t('Member.PASSWORDEXPIRED', 'Your password has expired. Please choose a new one.'), 'good');
         return $this->controller->redirect('Security/changepassword');
     }
     // Absolute redirection URLs may cause spoofing
     if (!empty($_REQUEST['BackURL'])) {
         $url = $_REQUEST['BackURL'];
         if (Director::is_site_url($url)) {
             $url = Director::absoluteURL($url);
         } else {
             // Spoofing attack, redirect to homepage instead of spoofing url
             $url = Director::absoluteBaseURL();
         }
         return $this->controller->redirect($url);
     }
     // If a default login dest has been set, redirect to that.
     if ($url = Security::config()->default_login_dest) {
         $url = Controller::join_links(Director::absoluteBaseURL(), $url);
         return $this->controller->redirect($url);
     }
     // Redirect the user to the page where they came from
     $member = Member::currentUser();
     if ($member) {
         $firstname = Convert::raw2xml($member->FirstName);
         if (!empty($data['Remember'])) {
             Session::set('SessionForms.MemberLoginForm.Remember', '1');
             $member->logIn(true);
         } else {
             $member->logIn();
         }
         Session::set('Security.Message.message', _t('Member.WELCOMEBACK', "Welcome Back, {firstname}", array('firstname' => $firstname)));
         Session::set("Security.Message.type", "good");
     }
     return Controller::curr()->redirectBack();
 }
 /**
  * Given a successful login, tell the parent frame to close the dialog
  *
  * @return HTTPResponse|DBField
  */
 public function success()
 {
     // Ensure member is properly logged in
     if (!Member::currentUserID()) {
         return $this->redirectToExternalLogin();
     }
     // Get redirect url
     $controller = $this->getResponseController(_t('CMSSecurity.SUCCESS', 'Success'));
     $backURLs = array($this->getRequest()->requestVar('BackURL'), Session::get('BackURL'), Director::absoluteURL(AdminRootController::config()->url_base, true));
     $backURL = null;
     foreach ($backURLs as $backURL) {
         if ($backURL && Director::is_site_url($backURL)) {
             break;
         }
     }
     // Show login
     $controller = $controller->customise(array('Content' => _t('CMSSecurity.SUCCESSCONTENT', '<p>Login success. If you are not automatically redirected ' . '<a target="_top" href="{link}">click here</a></p>', 'Login message displayed in the cms popup once a user has re-authenticated themselves', array('link' => $backURL))));
     return $controller->renderWith($this->getTemplatesFor('success'));
 }
 /**
  * Mostly tested by {@link testIsRelativeUrl()},
  * just adding the host name matching aspect here.
  */
 public function testIsSiteUrl()
 {
     $this->assertFalse(Director::is_site_url("http://test.com"));
     $this->assertTrue(Director::is_site_url(Director::absoluteBaseURL()));
     $this->assertFalse(Director::is_site_url("http://test.com?url=" . Director::absoluteBaseURL()));
     $this->assertFalse(Director::is_site_url("http://test.com?url=" . urlencode(Director::absoluteBaseURL())));
     $this->assertFalse(Director::is_site_url("//test.com?url=" . Director::absoluteBaseURL()));
 }