/** * Set the new password (for DEFAULT user, FACEBOOK-users don't have a password) * Please note: At this point the user has already pre-verified via verifyPasswordReset() (within one hour), * so we don't need to check again for the 60min-limit here. In this method we authenticate * via username & password-reset-hash from (hidden) form fields. * * @param string $user_name * @param string $user_password_reset_hash * @param string $user_password_new * @param string $user_password_repeat * * @return bool success state of the password reset */ public static function setNewPassword($user_name, $user_password_reset_hash, $user_password_new, $user_password_repeat) { // validate the password if (!self::validateNewPassword($user_name, $user_password_reset_hash, $user_password_new, $user_password_repeat)) { return false; } // crypt the password (with the PHP 5.5+'s password_hash() function, result is a 60 character hash string) $user_password_hash = password_hash($user_password_new, PASSWORD_DEFAULT); // write the password to database (as hashed and salted string), reset user_password_reset_hash if (PasswordResetModel::saveNewUserPassword($user_name, $user_password_hash, $user_password_reset_hash)) { Session::add('feedback_positive', Text::get('FEEDBACK_PASSWORD_CHANGE_SUCCESSFUL')); return true; } else { Session::add('feedback_negative', Text::get('FEEDBACK_PASSWORD_CHANGE_FAILED')); return false; } }