2017-03-02 03:24:38 +01:00
|
|
|
<?php
|
|
|
|
|
2017-04-22 06:30:10 +02:00
|
|
|
namespace SilverStripe\Security\MemberAuthenticator;
|
2017-03-02 03:24:38 +01:00
|
|
|
|
|
|
|
use SilverStripe\Control\Controller;
|
|
|
|
use SilverStripe\Control\Email\Email;
|
|
|
|
use SilverStripe\Control\HTTPResponse;
|
2017-04-22 06:30:10 +02:00
|
|
|
use SilverStripe\Control\RequestHandler;
|
2017-06-09 05:07:35 +02:00
|
|
|
use SilverStripe\Core\Convert;
|
2017-05-30 09:42:00 +02:00
|
|
|
use SilverStripe\Forms\Form;
|
2017-06-09 05:07:35 +02:00
|
|
|
use SilverStripe\ORM\FieldType\DBField;
|
2017-04-22 06:30:10 +02:00
|
|
|
use SilverStripe\Security\Member;
|
|
|
|
use SilverStripe\Security\Security;
|
2017-03-02 03:24:38 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Handle login requests from MemberLoginForm
|
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
class LostPasswordHandler extends RequestHandler
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-05-30 09:42:00 +02:00
|
|
|
/**
|
|
|
|
* Authentication class to use
|
|
|
|
* @var string
|
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
protected $authenticatorClass = MemberAuthenticator::class;
|
|
|
|
|
2017-05-30 09:42:00 +02:00
|
|
|
/**
|
|
|
|
* @var array
|
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
private static $url_handlers = [
|
2018-06-26 14:29:59 +02:00
|
|
|
'passwordsent' => 'passwordsent',
|
|
|
|
'' => 'lostpassword',
|
2017-04-22 06:30:10 +02:00
|
|
|
];
|
2017-03-02 03:24:38 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Since the logout and dologin actions may be conditionally removed, it's necessary to ensure these
|
|
|
|
* remain valid actions regardless of the member login state.
|
|
|
|
*
|
|
|
|
* @var array
|
|
|
|
* @config
|
|
|
|
*/
|
|
|
|
private static $allowed_actions = [
|
2017-04-22 06:30:10 +02:00
|
|
|
'lostpassword',
|
|
|
|
'LostPasswordForm',
|
|
|
|
'passwordsent',
|
2017-03-02 03:24:38 +01:00
|
|
|
];
|
|
|
|
|
2018-03-23 03:28:00 +01:00
|
|
|
/**
|
|
|
|
* Link to this handler
|
|
|
|
*
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
protected $link = null;
|
2017-04-22 06:30:10 +02:00
|
|
|
|
2017-03-02 03:24:38 +01:00
|
|
|
/**
|
2017-05-30 09:42:00 +02:00
|
|
|
* @param string $link The URL to recreate this request handler
|
2017-03-02 03:24:38 +01:00
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
public function __construct($link)
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-04-22 06:30:10 +02:00
|
|
|
$this->link = $link;
|
|
|
|
parent::__construct();
|
|
|
|
}
|
2017-03-02 03:24:38 +01:00
|
|
|
|
2017-04-22 06:30:10 +02:00
|
|
|
/**
|
|
|
|
* Return a link to this request handler.
|
|
|
|
* The link returned is supplied in the constructor
|
2017-05-30 09:42:00 +02:00
|
|
|
*
|
2018-03-23 03:28:00 +01:00
|
|
|
* @param string|null $action
|
2017-04-22 06:30:10 +02:00
|
|
|
* @return string
|
|
|
|
*/
|
2018-03-23 03:28:00 +01:00
|
|
|
public function Link($action = null)
|
2017-04-22 06:30:10 +02:00
|
|
|
{
|
2018-03-23 03:28:00 +01:00
|
|
|
$link = Controller::join_links($this->link, $action);
|
|
|
|
$this->extend('updateLink', $link, $action);
|
|
|
|
return $link;
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2017-04-22 06:30:10 +02:00
|
|
|
* URL handler for the initial lost-password screen
|
2017-05-30 09:42:00 +02:00
|
|
|
*
|
|
|
|
* @return array
|
2017-03-02 03:24:38 +01:00
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
public function lostpassword()
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-04-22 06:30:10 +02:00
|
|
|
|
|
|
|
$message = _t(
|
2017-05-30 09:42:00 +02:00
|
|
|
'SilverStripe\\Security\\Security.NOTERESETPASSWORD',
|
2017-04-22 06:30:10 +02:00
|
|
|
'Enter your e-mail address and we will send you a link with which you can reset your password'
|
|
|
|
);
|
|
|
|
|
|
|
|
return [
|
|
|
|
'Content' => DBField::create_field('HTMLFragment', "<p>$message</p>"),
|
2017-05-30 09:42:00 +02:00
|
|
|
'Form' => $this->lostPasswordForm(),
|
2017-04-22 06:30:10 +02:00
|
|
|
];
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
2017-04-22 06:30:10 +02:00
|
|
|
/**
|
|
|
|
* Show the "password sent" page, after a user has requested
|
|
|
|
* to reset their password.
|
2017-05-30 09:42:00 +02:00
|
|
|
*
|
|
|
|
* @return array
|
2017-04-22 06:30:10 +02:00
|
|
|
*/
|
|
|
|
public function passwordsent()
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-04-22 06:30:10 +02:00
|
|
|
$message = _t(
|
2018-06-26 14:29:59 +02:00
|
|
|
'SilverStripe\\Security\\Security.PASSWORDRESETSENTTEXT',
|
|
|
|
"Thank you. A reset link has been sent, provided an account exists for this email address."
|
2017-04-22 06:30:10 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
return [
|
2018-06-26 14:29:59 +02:00
|
|
|
'Title' => _t(
|
|
|
|
'SilverStripe\\Security\\Security.PASSWORDRESETSENTHEADER',
|
|
|
|
"Password reset link sent"
|
2017-04-22 06:30:10 +02:00
|
|
|
),
|
|
|
|
'Content' => DBField::create_field('HTMLFragment', "<p>$message</p>"),
|
|
|
|
];
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
2017-04-22 06:30:10 +02:00
|
|
|
|
2017-03-02 03:24:38 +01:00
|
|
|
/**
|
2017-04-22 06:30:10 +02:00
|
|
|
* Factory method for the lost password form
|
2017-03-02 03:24:38 +01:00
|
|
|
*
|
2017-04-22 06:30:10 +02:00
|
|
|
* @skipUpgrade
|
|
|
|
* @return Form Returns the lost password form
|
|
|
|
*/
|
|
|
|
public function lostPasswordForm()
|
|
|
|
{
|
2017-06-08 09:12:28 +02:00
|
|
|
return LostPasswordForm::create(
|
2017-04-22 06:30:10 +02:00
|
|
|
$this,
|
|
|
|
$this->authenticatorClass,
|
2017-05-30 09:42:00 +02:00
|
|
|
'lostPasswordForm',
|
2017-06-08 09:12:28 +02:00
|
|
|
null,
|
|
|
|
null,
|
2017-04-22 06:30:10 +02:00
|
|
|
false
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Redirect to password recovery form
|
2017-03-02 03:24:38 +01:00
|
|
|
*
|
|
|
|
* @return HTTPResponse
|
|
|
|
*/
|
2017-04-22 06:30:10 +02:00
|
|
|
public function redirectToLostPassword()
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-04-22 06:30:10 +02:00
|
|
|
$lostPasswordLink = Security::singleton()->Link('lostpassword');
|
2017-03-02 03:24:38 +01:00
|
|
|
|
2017-05-30 09:42:00 +02:00
|
|
|
return $this->redirect($this->addBackURLParam($lostPasswordLink));
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Forgot password form handler method.
|
|
|
|
* Called when the user clicks on "I've lost my password".
|
|
|
|
* Extensions can use the 'forgotPassword' method to veto executing
|
|
|
|
* the logic, by returning FALSE. In this case, the user will be redirected back
|
|
|
|
* to the form without further action. It is recommended to set a message
|
|
|
|
* in the form detailing why the action was denied.
|
|
|
|
*
|
|
|
|
* @skipUpgrade
|
|
|
|
* @param array $data Submitted data
|
2017-06-08 09:12:28 +02:00
|
|
|
* @param LostPasswordForm $form
|
2017-03-02 03:24:38 +01:00
|
|
|
* @return HTTPResponse
|
|
|
|
*/
|
2017-06-08 09:12:28 +02:00
|
|
|
public function forgotPassword($data, $form)
|
2017-03-02 03:24:38 +01:00
|
|
|
{
|
2017-10-04 01:31:36 +02:00
|
|
|
// Run a first pass validation check on the data
|
|
|
|
$dataValidation = $this->validateForgotPasswordData($data, $form);
|
|
|
|
if ($dataValidation instanceof HTTPResponse) {
|
|
|
|
return $dataValidation;
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/** @var Member $member */
|
2017-10-04 01:31:36 +02:00
|
|
|
$member = $this->getMemberFromData($data);
|
2017-03-02 03:24:38 +01:00
|
|
|
|
|
|
|
// Allow vetoing forgot password requests
|
|
|
|
$results = $this->extend('forgotPassword', $member);
|
2022-04-14 03:12:59 +02:00
|
|
|
if ($results && is_array($results) && in_array(false, $results ?? [], true)) {
|
2017-03-02 03:24:38 +01:00
|
|
|
return $this->redirectToLostPassword();
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($member) {
|
|
|
|
$token = $member->generateAutologinTokenAndStoreHash();
|
|
|
|
|
2017-06-08 09:12:28 +02:00
|
|
|
$this->sendEmail($member, $token);
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
|
|
|
|
2017-10-04 01:31:36 +02:00
|
|
|
return $this->redirectToSuccess($data);
|
|
|
|
}
|
2017-03-02 03:24:38 +01:00
|
|
|
|
2017-10-04 01:31:36 +02:00
|
|
|
/**
|
|
|
|
* Ensure that the user has provided an email address. Note that the "Email" key is specific to this
|
|
|
|
* implementation, but child classes can override this method to use another unique identifier field
|
|
|
|
* for validation.
|
|
|
|
*
|
|
|
|
* @param array $data
|
|
|
|
* @param LostPasswordForm $form
|
|
|
|
* @return HTTPResponse|null
|
|
|
|
*/
|
|
|
|
protected function validateForgotPasswordData(array $data, LostPasswordForm $form)
|
|
|
|
{
|
|
|
|
if (empty($data['Email'])) {
|
|
|
|
$form->sessionMessage(
|
|
|
|
_t(
|
|
|
|
'SilverStripe\\Security\\Member.ENTEREMAIL',
|
|
|
|
'Please enter an email address to get a password reset link.'
|
|
|
|
),
|
|
|
|
'bad'
|
|
|
|
);
|
|
|
|
|
|
|
|
return $this->redirectToLostPassword();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Load an existing Member from the provided data
|
|
|
|
*
|
|
|
|
* @param array $data
|
|
|
|
* @return Member|null
|
|
|
|
*/
|
|
|
|
protected function getMemberFromData(array $data)
|
|
|
|
{
|
|
|
|
if (!empty($data['Email'])) {
|
|
|
|
$uniqueIdentifier = Member::config()->get('unique_identifier_field');
|
|
|
|
return Member::get()->filter([$uniqueIdentifier => $data['Email']])->first();
|
|
|
|
}
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|
2017-06-08 09:12:28 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Send the email to the member that requested a reset link
|
|
|
|
* @param Member $member
|
|
|
|
* @param string $token
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function sendEmail($member, $token)
|
|
|
|
{
|
|
|
|
/** @var Email $email */
|
|
|
|
$email = Email::create()
|
|
|
|
->setHTMLTemplate('SilverStripe\\Control\\Email\\ForgotPasswordEmail')
|
|
|
|
->setData($member)
|
|
|
|
->setSubject(_t(
|
|
|
|
'SilverStripe\\Security\\Member.SUBJECTPASSWORDRESET',
|
|
|
|
"Your password reset link",
|
|
|
|
'Email subject'
|
|
|
|
))
|
|
|
|
->addData('PasswordResetLink', Security::getPasswordResetLink($member, $token))
|
|
|
|
->setTo($member->Email);
|
2022-05-13 10:18:24 +02:00
|
|
|
|
|
|
|
$member->extend('updateForgotPasswordEmail', $email);
|
2017-06-08 09:12:28 +02:00
|
|
|
return $email->send();
|
|
|
|
}
|
2017-10-04 01:31:36 +02:00
|
|
|
|
|
|
|
/**
|
2021-12-13 09:05:33 +01:00
|
|
|
* Avoid information disclosure by displaying the same status, regardless whether the email address actually exists
|
2017-10-04 01:31:36 +02:00
|
|
|
*
|
|
|
|
* @param array $data
|
|
|
|
* @return HTTPResponse
|
|
|
|
*/
|
|
|
|
protected function redirectToSuccess(array $data)
|
|
|
|
{
|
2018-06-26 14:29:59 +02:00
|
|
|
$link = $this->link('passwordsent');
|
2017-10-04 01:31:36 +02:00
|
|
|
|
|
|
|
return $this->redirect($this->addBackURLParam($link));
|
|
|
|
}
|
2017-03-02 03:24:38 +01:00
|
|
|
}
|