The process to reset a password is as follows: 1. The user chooses to reset a password. He/she enters a new password and submits it to Piwik. 2. PasswordResetter will store the hash of the password in the Option table. This is done by {@link initiatePasswordResetProcess()}. 3. PasswordResetter will generate a reset token and email the user a link to confirm that they requested a password reset. (This way an attacker cannot reset a user's password if they do not have control of the user's email address.) 4. The user opens the email and clicks on the link. The link leads to a controller action that finishes the password reset process. 5. When the link is clicked, PasswordResetter will update the user's password and remove the Option stored earlier. This is accomplished by {@link confirmNewPassword()}. Note: this class does not contain any controller logic so it won't directly handle certain requests. Controllers should call the appropriate methods. ## Reset Tokens Reset tokens are hashes that are unique for each user and are associated with an expiry timestamp in the future. see the {@link generatePasswordResetToken()} and {@link isTokenValid()} methods for more info. By default, reset tokens will expire after 24 hours. ## Overriding Plugins that want to tweak the password reset process can derive from this class. They can override certain methods (read documentation for individual methods to see why and how you might want to), but for the overriding to have effect, it must be used by the Login controller.
Ejemplo n.º 1
0
 /**
  * Password reset confirmation action. Finishes the password reset process.
  * Users visit this action from a link supplied in an email.
  */
 public function confirmResetPassword()
 {
     $errorMessage = null;
     $login = Common::getRequestVar('login', '');
     $resetToken = Common::getRequestVar('resetToken', '');
     try {
         $this->passwordResetter->confirmNewPassword($login, $resetToken);
     } catch (Exception $ex) {
         Log::debug($ex);
         $errorMessage = $ex->getMessage();
     }
     if (is_null($errorMessage)) {
         // if success, show login w/ success message
         // have to do this as super user since redirectToIndex checks if there's a default website ID for
         // the current user and if not, doesn't redirect to the requested action. TODO: this behavior is wrong. somehow.
         $self = $this;
         Access::doAsSuperUser(function () use($self) {
             $self->redirectToIndex(Piwik::getLoginPluginName(), 'resetPasswordSuccess');
         });
         return null;
     } else {
         // show login page w/ error. this will keep the token in the URL
         return $this->login($errorMessage);
     }
 }
Ejemplo n.º 2
0
 /**
  * Password reset confirmation action. Finishes the password reset process.
  * Users visit this action from a link supplied in an email.
  */
 public function confirmResetPassword()
 {
     $errorMessage = null;
     $login = Common::getRequestVar('login', '');
     $resetToken = Common::getRequestVar('resetToken', '');
     try {
         $this->passwordResetter->confirmNewPassword($login, $resetToken);
     } catch (Exception $ex) {
         Log::debug($ex);
         $errorMessage = $ex->getMessage();
     }
     if (is_null($errorMessage)) {
         // if success, show login w/ success message
         return $this->resetPasswordSuccess();
     } else {
         // show login page w/ error. this will keep the token in the URL
         return $this->login($errorMessage);
     }
 }