public function updatePassword(UserModel $user, $newPassword, $oldPassword = null) { if (!$user->getId()) { throw new InvalidArgumentException('Supplied user model does not have an Id'); } if (!$newPassword) { throw new InvalidArgumentException('newPassword param not given'); } $userId = $user->getId(); // Fetch password hashing resource $bootstrap = \Zend_Controller_Front::getInstance()->getParam('bootstrap'); $phpass = $bootstrap->getResource('PHPass'); if ($oldPassword && !$phpass->checkPassword($oldPassword, $user->getPassword())) { throw new \Application\Exceptions\ValidateException("Invalid old password given", ValidationCodes::USER_INVALID_PASSWORD); } // Validate password $user->setPassword($newPassword); $this->validatePassword($user); // Store a hashed version of the password in the user profile $user->setPassword($phpass->hashPassword($newPassword)); $user->setLastPasswordChange(time()); // Update last used passwords $lastUsedPasswordsLimit = \App::config('lastUsedPasswordsLimit', 10); $lastUsedPasswords = $this->getLastUsedPasswords($userId); if (!$lastUsedPasswords) { $lastUsedPasswords = array(); } if (count($lastUsedPasswords) >= $lastUsedPasswordsLimit) { $limit = $lastUsedPasswordsLimit - 1; $lastUsedPasswords = array_slice($lastUsedPasswords, $limit * -1, $limit); } array_push($lastUsedPasswords, sha1($newPassword)); UserMapper::getInstance()->insertLastUsedPasswords($user->id, $lastUsedPasswords); // Persist the changes $user->save(); // Remove old token if exists $userMapper = \Application\Model\Mapper\UserMapper::getInstance(); $userMapper->removeLostPasswordToken($user->getId()); \App::audit('Updated password for user with Id ' . $user->getId(), $user); $this->_sendEvent('update', $user); return $user; }