/** * Change the password * * @param array $data The user submitted data * @return SS_HTTPResponse */ public function doChangePassword(array $data) { if ($member = Member::currentUser()) { // The user was logged in, check the current password if (empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->valid()) { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); return $this->controller->redirect($this->controller->Link('login')); } } // Check the new password if (empty($data['NewPassword1'])) { $this->clearMessage(); $this->sessionMessage(_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } else { if ($data['NewPassword1'] == $data['NewPassword2']) { $isValid = $member->changePassword($data['NewPassword1']); if ($isValid->valid()) { $member->logIn(); // TODO Add confirmation message to login redirect Session::clear('AutoLoginHash'); // Clear locked out status $member->LockedOutUntil = null; $member->FailedLoginCount = null; $member->write(); if (!empty($_REQUEST['BackURL']) && Director::is_site_url($_REQUEST['BackURL'])) { $url = Director::absoluteURL($_REQUEST['BackURL']); return $this->controller->redirect($url); } else { // Redirect to default location - the login form saying "You are logged in as..." $redirectURL = HTTP::setGetVar('BackURL', Director::absoluteBaseURL(), $this->controller->Link('login')); return $this->controller->redirect($redirectURL); } } else { $this->clearMessage(); $this->sessionMessage(_t('Member.INVALIDNEWPASSWORD', "We couldn't accept that password: {password}", array('password' => nl2br("\n" . $isValid->starredList()))), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } else { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } }
/** * @param array $data * @return SS_HTTPResponse|void */ function doChangePassword(array $data) { try { $token = Session::get('AutoLoginHash'); $this->password_manager->changePassword($token, @$data['NewPassword1'], @$data['NewPassword2']); $member = Member::currentUser(); if (!$member) { if (empty($token)) { throw new InvalidResetPasswordTokenException(); } $member = Member::member_from_autologinhash($token); } Session::clear('AutoLoginHash'); $back_url = isset($_REQUEST['BackURL']) ? $_REQUEST['BackURL'] : '/'; return OpenStackIdCommon::loginMember($member, $back_url); } catch (InvalidResetPasswordTokenException $ex1) { Session::clear('AutoLoginHash'); Controller::curr()->redirect('login'); } catch (EmptyPasswordException $ex2) { $this->clearMessage(); $this->sessionMessage(_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad"); Controller::curr()->redirectBack(); } catch (PasswordMismatchException $ex3) { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad"); Controller::curr()->redirectBack(); } catch (InvalidPasswordException $ex4) { $this->clearMessage(); $this->sessionMessage(sprintf(_t('Member.INVALIDNEWPASSWORD', "We couldn't accept that password: %s"), nl2br("\n" . $ex4->getMessage())), "bad"); Controller::curr()->redirectBack(); } }
/** * @param string $token * @param string $password * @param string $password_confirmation * @throws InvalidResetPasswordTokenException * @throws EmptyPasswordException * @throws InvalidPasswordException * @throws PasswordMismatchException */ public function changePassword($token, $password, $password_confirmation) { $member = Member::currentUser(); if (!$member) { if (empty($token)) { throw new InvalidResetPasswordTokenException(); } $member = Member::member_from_autologinhash($token); } if (!$member) { throw new InvalidResetPasswordTokenException(); } if (empty($password)) { throw new EmptyPasswordException(); } if ($password !== $password_confirmation) { throw new PasswordMismatchException(); } $isValid = $member->changePassword($password); if (!$isValid->valid()) { throw new InvalidPasswordException($isValid->starredList()); } //invalidate former auto login token $member->generateAutologinTokenAndStoreHash(); //send confirmation email $email = EmailFactory::getInstance()->buildEmail(CHANGE_PASSWORD_EMAIL_FROM, $member->Email, CHANGE_PASSWORD_EMAIL_SUBJECT); $email->setTemplate('ChangedPasswordEmail'); $email->populateTemplate(array('MemberName' => $member->getFullName())); $email->send(); }
/** * Change the password * * @param array $data The user submitted data */ function doChangePassword(array $data) { if ($member = Member::currentUser()) { // The user was logged in, check the current password if (empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->valid()) { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad"); Director::redirectBack(); return; } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); Director::redirect('loginpage'); return; } } // Check the new password if (empty($data['NewPassword1'])) { $this->clearMessage(); $this->sessionMessage(_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad"); Director::redirectBack(); return; } else { if ($data['NewPassword1'] == $data['NewPassword2']) { $isValid = $member->changePassword($data['NewPassword1']); if ($isValid->valid()) { $this->clearMessage(); $this->sessionMessage(_t('Member.PASSWORDCHANGED', "Your password has been changed, and a copy emailed to you."), "good"); Session::clear('AutoLoginHash'); if (isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && Director::is_site_url($_REQUEST['BackURL'])) { Director::redirect($_REQUEST['BackURL']); } else { // Redirect to default location - the login form saying "You are logged in as..." $redirectURL = HTTP::setGetVar('BackURL', Director::absoluteBaseURL(), Security::Link('login')); Director::redirect($redirectURL); } } else { $this->clearMessage(); $this->sessionMessage(sprintf(_t('Member.INVALIDNEWPASSWORD', "We couldn't accept that password: %s"), nl2br("\n" . $isValid->starredList())), "bad"); Director::redirectBack(); } } else { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad"); Director::redirectBack(); } } }
/** * Change the password * * @param array $data The user submitted data */ function doChangePassword(array $data) { if ($member = Member::currentUser()) { // The user was logged in, check the current password if (isset($data['OldPassword']) && $member->checkPassword($data['OldPassword']) == false) { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad"); Director::redirectBack(); return; } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); Director::redirect('loginpage'); return; } } // Check the new password if ($data['NewPassword1'] == $data['NewPassword2']) { $isValid = $member->changePassword($data['NewPassword1']); if ($isValid->valid()) { $this->clearMessage(); $this->sessionMessage(_t('Member.PASSWORDCHANGED', "Your password has been changed, and a copy emailed to you."), "good"); Session::clear('AutoLoginHash'); $redirectURL = HTTP::setGetVar('BackURL', urlencode(Director::absoluteBaseURL()), Security::Link('login')); Director::redirect($redirectURL); } else { $this->clearMessage(); $this->sessionMessage(nl2br("We couldn't accept that password:\n" . $isValid->starredList()), "bad"); Director::redirectBack(); } } else { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "Your have entered your new password differently, try again"), "bad"); Director::redirectBack(); } }
/** * Show the "change password" page. * This page can either be called directly by logged-in users * (in which case they need to provide their old password), * or through a link emailed through {@link lostpassword()}. * In this case no old password is required, authentication is ensured * through the Member.AutoLoginHash property. * * @see ChangePasswordForm * * @return string Returns the "change password" page as HTML code. */ public function changepassword() { if (class_exists('SiteTree')) { $tmpPage = new Page(); $tmpPage->Title = _t('Security.CHANGEPASSWORDHEADER', 'Change your password'); $tmpPage->URLSegment = 'Security'; $tmpPage->ID = -1; // Set the page ID to -1 so we dont get the top level pages as its children $controller = new Page_Controller($tmpPage); $controller->init(); } else { $controller = $this; } // First load with hash: Redirect to same URL without hash to avoid referer leakage if (isset($_REQUEST['h']) && Member::member_from_autologinhash($_REQUEST['h'])) { // The auto login hash is valid, store it for the change password form. // Temporary value, unset in ChangePasswordForm Session::set('AutoLoginHash', $_REQUEST['h']); return $this->redirect($this->Link('changepassword')); // Redirection target after "First load with hash" } elseif (Session::get('AutoLoginHash')) { $customisedController = $controller->customise(array('Content' => '<p>' . _t('Security.ENTERNEWPASSWORD', 'Please enter a new password.') . '</p>', 'Form' => $this->ChangePasswordForm())); } elseif (Member::currentUser()) { // let a logged in user change his password $customisedController = $controller->customise(array('Content' => '<p>' . _t('Security.CHANGEPASSWORDBELOW', 'You can change your password below.') . '</p>', 'Form' => $this->ChangePasswordForm())); } else { // show an error message if the auto login hash is invalid and the // user is not logged in if (isset($_REQUEST['h'])) { $customisedController = $controller->customise(array('Content' => sprintf(_t('Security.NOTERESETLINKINVALID', '<p>The password reset link is invalid or expired.</p><p>You can request a new one <a href="%s">here</a> or change your password after you <a href="%s">logged in</a>.</p>'), $this->Link('lostpassword'), $this->link('login')))); } else { self::permissionFailure($this, _t('Security.ERRORPASSWORDPERMISSION', 'You must be logged in in order to change your password!')); return; } } return $customisedController->renderWith(array('Security_changepassword', 'Security', $this->stat('template_main'), 'BlankPage')); }
/** * Show the "change password" page * * @return string Returns the "change password" page as HTML code. */ public function changepassword() { $tmpPage = new Page(); $tmpPage->Title = _t('Security.CHANGEPASSWORDHEADER', 'Change your password'); $tmpPage->URLSegment = 'Security'; $controller = new Page_Controller($tmpPage); $controller->init(); if(isset($_REQUEST['h']) && Member::member_from_autologinhash($_REQUEST['h'])) { // The auto login hash is valid, store it for the change password form Session::set('AutoLoginHash', $_REQUEST['h']); $customisedController = $controller->customise(array( 'Content' => '<p>' . _t('Security.ENTERNEWPASSWORD', 'Please enter a new password.') . '</p>', 'Form' => $this->ChangePasswordForm(), )); } elseif(Member::currentUser()) { // let a logged in user change his password $customisedController = $controller->customise(array( 'Content' => '<p>' . _t('Security.CHANGEPASSWORDBELOW', 'You can change your password below.') . '</p>', 'Form' => $this->ChangePasswordForm())); } else { // show an error message if the auto login hash is invalid and the // user is not logged in if(isset($_REQUEST['h'])) { $customisedController = $controller->customise( array('Content' => sprintf( _t('Security.NOTERESETLINKINVALID', '<p>The password reset link is invalid or expired.</p><p>You can request a new one <a href="%s">here</a> or change your password after you <a href="%s">logged in</a>.</p>' ), $this->Link('lostpassword'), $this->link('login') ) ) ); } else { self::permissionFailure( $this, _t('Security.ERRORPASSWORDPERMISSION', 'You must be logged in in order to change your password!') ); return; } } //Controller::$currentController = $controller; return $customisedController->renderWith(array('Security_changepassword', 'Security', $this->stat('template_main'))); }
/** * Change the password * * @param array $data The user submitted data * @return SS_HTTPResponse */ public function doChangePassword(array $data) { /** * @var LDAPService $service */ $service = Injector::inst()->get('LDAPService'); if ($member = Member::currentUser()) { try { $userData = $service->getUserByGUID($member->GUID); } catch (Exception $e) { SS_Log::log($e->getMessage(), SS_Log::ERR); $this->clearMessage(); $this->sessionMessage(_t('LDAPAuthenticator.NOUSER', 'Your account hasn\'t been setup properly, please contact an administrator.'), 'bad'); return $this->controller->redirect($this->controller->Link('changepassword')); } $loginResult = $service->authenticate($userData['samaccountname'], $data['OldPassword']); if (!$loginResult['success']) { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); return $this->controller->redirect($this->controller->Link('login')); } } // Check the new password if (empty($data['NewPassword1'])) { $this->clearMessage(); $this->sessionMessage(_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } else { if ($data['NewPassword1'] == $data['NewPassword2']) { $isValid = $service->setPassword($member, $data['NewPassword1']); // try to catch connection and other errors that the ldap service can through if ($isValid->valid()) { $member->logIn(); Session::clear('AutoLoginHash'); // Clear locked out status $member->LockedOutUntil = null; $member->FailedLoginCount = null; $member->write(); if (!empty($_REQUEST['BackURL']) && Director::is_site_url($_REQUEST['BackURL'])) { $url = Director::absoluteURL($_REQUEST['BackURL']); return $this->controller->redirect($url); } else { // Redirect to default location - the login form saying "You are logged in as..." $redirectURL = HTTP::setGetVar('BackURL', Director::absoluteBaseURL(), $this->controller->Link('login')); return $this->controller->redirect($redirectURL); } } else { $this->clearMessage(); $this->sessionMessage($isValid->message(), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } else { $this->clearMessage(); $this->sessionMessage(_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } }