/**
* @Method("GET|DELETE")
* @Route("/{id}/delete", name="admin-user_delete")
* @ParamConverter("user", class="Model:User")
* @Template("admin/user/delete.html.twig")
*/
public function deleteAction(User $user, Request $request)
{
$deleteForm = $this->createFormBuilder(null, ['method' => 'DELETE'])->add('id', HiddenType::class, ['data' => $user->getId()])->getForm();
$deleteForm->handleRequest($request);
if ($deleteForm->isValid()) {
$this->em->remove($user);
$this->em->flush($user);
$this->addFlash('success', 'User removed.');
return $this->redirectToRoute('admin-user_list');
}
return ['user' => $user, 'deleteForm' => $deleteForm->createView()];
}
/**
* @Route("/set-password/{id}/{timestamp}/{hash}", name="web-set_password", requirements={"id"="^[a-z0-9-]{36}$", "timestamp"="^\d+$", "hash"="^[a-zA-Z0-9_-]+$"})
* @ParamConverter("resetUser", class="Model:User")
* @Template("web/security/set-password.html.twig")
*/
public function setPassword(User $resetUser, $timestamp, $hash, Request $request)
{
$currentUser = $this->getUser();
if ($currentUser && $currentUser->getId() !== $resetUser->getId()) {
// User is logged in as a different user.
$this->addFlash('error', \Undine\Functions\format('Another user (%current_user) is already logged into the site on this computer, but you tried to use a one-time link for user %reset_user. Please <a href="!logout">logout</a> and try using the link again.', ['%current_user' => $currentUser->getName(), '%reset_user' => $resetUser->getName(), '!logout' => $this->container->get('security.logout_url_generator')->getLogoutUrl('web')]));
return $this->redirectToRoute('web-reset_password');
}
$timeout = 86400;
// No time out for first time login.
if ($resetUser->getLastLoginAt() && $timestamp + $timeout <= $this->currentTime->getTimestamp()) {
$this->addFlash('error', 'You have tried to use a one-time login link that has expired. Please request a new one using the form below.');
return $this->redirectToRoute('web-reset_password');
}
if ($resetUser->getLastLoginAt() && $resetUser->getLastLoginAt()->getTimestamp() >= $timestamp) {
// The user was logged in after this login URL was generated. Show different message?
$this->addFlash('error', 'You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below');
return $this->redirectToRoute('web-reset_password');
}
if (!hash_equals($this->getLoginToken($resetUser, $timestamp), $hash)) {
// The hash is plain wrong. This is a sign of attack.
$this->dispatcher->dispatch(new UserResetPasswordFailedEvent($request, $resetUser), Events::USER_RESET_PASSWORD_FAILED);
$this->logger->notice('Invalid reset password token used.', ['ip' => $request->getClientIp(), 'userId' => $resetUser->getId(), 'userName' => $resetUser->getName(), 'userEmail' => $resetUser->getEmail()]);
$this->addFlash('error', 'You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
return $this->redirectToRoute('web-reset_password');
}
$form = $this->createFormBuilder(null, ['method' => 'POST', 'action' => $this->generateUrl('web-set_password', ['id' => $resetUser->getId(), 'timestamp' => $timestamp, 'hash' => $hash])])->add('password', 'password', ['attr' => ['autofocus' => true], 'constraints' => [new Type(['type' => 'string']), new NotBlank()]])->getForm();
$form->handleRequest($request);
if ($form->isValid()) {
$plainPassword = $form->getData()['password'];
$password = $this->get('security.encoder_factory')->getEncoder(User::class)->encodePassword($plainPassword, '');
$resetUser->setPassword($password);
$this->em->persist($resetUser);
$this->em->flush($resetUser);
$this->addFlash('success', 'You have successfully reset your password and have been logged in.');
// Log the user In. Check how UserAuthenticationProvider does it.
$this->session->migrate();
$token = new UsernamePasswordToken($resetUser, $plainPassword, 'web', $resetUser->getRoles());
$this->get('security.token_storage')->setToken($token);
// Dispatch the app event.
$resetPasswordEvent = new UserResetPasswordEvent($resetUser);
$this->dispatcher->dispatch(Events::USER_RESET_PASSWORD, $resetPasswordEvent);
// Since we're logging the user in manually, we should also dispatch the appropriate event.
$loginEvent = new InteractiveLoginEvent($request, $token);
$this->dispatcher->dispatch(SecurityEvents::INTERACTIVE_LOGIN, $loginEvent);
return $this->redirectToRoute('web-home');
}
return ['form' => $form->createView()];
}
public function includeSites(User $user, ParamBag $paramBag = null)
{
return $this->collection($user->getSites(), $this->transformers->get(Site::class));
}
public function getToken(User $user)
{
return $user->getId() . '-' . $user->getApiToken();
}
