2007-07-19 12:40:28 +02:00
|
|
|
<?php
|
2016-06-23 01:37:22 +02:00
|
|
|
|
|
|
|
namespace SilverStripe\Security;
|
|
|
|
|
2016-08-19 00:51:35 +02:00
|
|
|
use SilverStripe\Control\Controller;
|
2016-09-09 08:43:05 +02:00
|
|
|
use SilverStripe\Control\HTTPResponse;
|
2016-08-19 00:51:35 +02:00
|
|
|
use SilverStripe\Core\Convert;
|
|
|
|
use SilverStripe\Control\Session;
|
|
|
|
use SilverStripe\Control\Director;
|
|
|
|
use SilverStripe\Control\HTTP;
|
|
|
|
use SilverStripe\Forms\FieldList;
|
|
|
|
use SilverStripe\Forms\FormField;
|
|
|
|
use SilverStripe\Forms\PasswordField;
|
|
|
|
use SilverStripe\Forms\FormAction;
|
|
|
|
use SilverStripe\Forms\HiddenField;
|
|
|
|
use SilverStripe\Forms\Form;
|
2016-06-23 01:37:22 +02:00
|
|
|
|
2007-09-16 02:32:48 +02:00
|
|
|
/**
|
|
|
|
* Standard Change Password Form
|
|
|
|
*/
|
|
|
|
class ChangePasswordForm extends Form {
|
2016-01-06 00:34:58 +01:00
|
|
|
|
2007-09-16 02:44:30 +02:00
|
|
|
/**
|
|
|
|
* Constructor
|
|
|
|
*
|
2016-08-19 00:51:35 +02:00
|
|
|
* @param Controller $controller The parent controller, necessary to create the appropriate form action tag.
|
|
|
|
* @param string $name The method on the controller that will return this form object.
|
|
|
|
* @param FieldList|FormField $fields All of the fields in the form - a {@link FieldList} of
|
|
|
|
* {@link FormField} objects.
|
|
|
|
* @param FieldList|FormAction $actions All of the action buttons in the form - a {@link FieldList} of
|
2007-09-16 02:44:30 +02:00
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function __construct($controller, $name, $fields = null, $actions = null) {
|
2010-10-13 05:36:39 +02:00
|
|
|
if(isset($_REQUEST['BackURL'])) {
|
|
|
|
$backURL = $_REQUEST['BackURL'];
|
|
|
|
} else {
|
|
|
|
$backURL = Session::get('BackURL');
|
|
|
|
}
|
2013-06-08 01:34:58 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
if(!$fields) {
|
2011-05-11 09:51:54 +02:00
|
|
|
$fields = new FieldList();
|
2016-01-06 00:34:58 +01:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
// Security/changepassword?h=XXX redirects to Security/changepassword
|
|
|
|
// without GET parameter to avoid potential HTTP referer leakage.
|
|
|
|
// In this case, a user is not logged in, and no 'old password' should be necessary.
|
|
|
|
if(Member::currentUser()) {
|
2008-10-16 15:43:31 +02:00
|
|
|
$fields->push(new PasswordField("OldPassword",_t('Member.YOUROLDPASSWORD', "Your old password")));
|
2007-09-16 02:32:48 +02:00
|
|
|
}
|
|
|
|
|
2008-10-16 15:43:31 +02:00
|
|
|
$fields->push(new PasswordField("NewPassword1", _t('Member.NEWPASSWORD', "New Password")));
|
|
|
|
$fields->push(new PasswordField("NewPassword2", _t('Member.CONFIRMNEWPASSWORD', "Confirm New Password")));
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
if(!$actions) {
|
2011-05-11 09:51:54 +02:00
|
|
|
$actions = new FieldList(
|
2008-04-26 08:31:52 +02:00
|
|
|
new FormAction("doChangePassword", _t('Member.BUTTONCHANGEPASSWORD', "Change Password"))
|
2007-07-19 12:40:28 +02:00
|
|
|
);
|
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
|
2010-10-13 05:36:39 +02:00
|
|
|
if(isset($backURL)) {
|
|
|
|
$fields->push(new HiddenField('BackURL', 'BackURL', $backURL));
|
|
|
|
}
|
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
parent::__construct($controller, $name, $fields, $actions);
|
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
|
2007-09-16 02:44:30 +02:00
|
|
|
|
2007-09-16 02:32:48 +02:00
|
|
|
/**
|
|
|
|
* Change the password
|
|
|
|
*
|
|
|
|
* @param array $data The user submitted data
|
2016-09-09 08:43:05 +02:00
|
|
|
* @return HTTPResponse
|
2007-09-16 02:32:48 +02:00
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function doChangePassword(array $data) {
|
2007-09-16 02:32:48 +02:00
|
|
|
if($member = Member::currentUser()) {
|
|
|
|
// The user was logged in, check the current password
|
2010-10-13 05:36:13 +02:00
|
|
|
if(empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->valid()) {
|
2007-07-19 12:40:28 +02:00
|
|
|
$this->clearMessage();
|
2007-09-16 02:32:48 +02:00
|
|
|
$this->sessionMessage(
|
2016-01-06 00:34:58 +01:00
|
|
|
_t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"),
|
2007-10-25 04:47:45 +02:00
|
|
|
"bad"
|
|
|
|
);
|
2013-06-08 01:34:58 +02:00
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword'));
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if(!$member) {
|
|
|
|
if(Session::get('AutoLoginHash')) {
|
2008-08-11 08:11:33 +02:00
|
|
|
$member = Member::member_from_autologinhash(Session::get('AutoLoginHash'));
|
2007-09-16 02:32:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// The user is not logged in and no valid auto login hash is available
|
|
|
|
if(!$member) {
|
|
|
|
Session::clear('AutoLoginHash');
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($this->controller->Link('login'));
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
|
|
|
|
// Check the new password
|
2010-10-13 05:36:13 +02:00
|
|
|
if(empty($data['NewPassword1'])) {
|
|
|
|
$this->clearMessage();
|
|
|
|
$this->sessionMessage(
|
|
|
|
_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"),
|
|
|
|
"bad");
|
2013-06-08 01:34:58 +02:00
|
|
|
|
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword'));
|
2010-10-13 05:36:13 +02:00
|
|
|
}
|
|
|
|
else if($data['NewPassword1'] == $data['NewPassword2']) {
|
2008-04-26 08:31:52 +02:00
|
|
|
$isValid = $member->changePassword($data['NewPassword1']);
|
|
|
|
if($isValid->valid()) {
|
2014-03-03 05:46:02 +01:00
|
|
|
|
|
|
|
// Clear locked out status
|
|
|
|
$member->LockedOutUntil = null;
|
|
|
|
$member->FailedLoginCount = null;
|
|
|
|
$member->write();
|
2016-01-06 00:34:58 +01:00
|
|
|
|
2016-07-14 18:03:52 +02:00
|
|
|
if ($member->canLogIn()->valid()) {
|
|
|
|
$member->logIn();
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO Add confirmation message to login redirect
|
|
|
|
Session::clear('AutoLoginHash');
|
2016-01-06 00:34:58 +01:00
|
|
|
|
2015-05-25 02:38:34 +02:00
|
|
|
if (!empty($_REQUEST['BackURL'])
|
2016-01-06 00:34:58 +01:00
|
|
|
// absolute redirection URLs may cause spoofing
|
2010-10-13 05:36:39 +02:00
|
|
|
&& Director::is_site_url($_REQUEST['BackURL'])
|
|
|
|
) {
|
2015-05-25 02:38:34 +02:00
|
|
|
$url = Director::absoluteURL($_REQUEST['BackURL']);
|
|
|
|
return $this->controller->redirect($url);
|
2010-10-13 05:36:39 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
// Redirect to default location - the login form saying "You are logged in as..."
|
2012-09-26 23:34:00 +02:00
|
|
|
$redirectURL = HTTP::setGetVar(
|
|
|
|
'BackURL',
|
|
|
|
Director::absoluteBaseURL(), $this->controller->Link('login')
|
|
|
|
);
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($redirectURL);
|
2010-10-13 05:36:39 +02:00
|
|
|
}
|
2008-04-26 08:31:52 +02:00
|
|
|
} else {
|
|
|
|
$this->clearMessage();
|
2010-10-13 05:36:13 +02:00
|
|
|
$this->sessionMessage(
|
2012-05-01 21:44:54 +02:00
|
|
|
_t(
|
2016-01-06 00:34:58 +01:00
|
|
|
'Member.INVALIDNEWPASSWORD',
|
2012-05-01 21:44:54 +02:00
|
|
|
"We couldn't accept that password: {password}",
|
2015-07-01 07:41:07 +02:00
|
|
|
array('password' => nl2br("\n".Convert::raw2xml($isValid->starredList())))
|
2016-01-06 00:34:58 +01:00
|
|
|
),
|
2014-03-24 02:02:09 +01:00
|
|
|
"bad",
|
|
|
|
false
|
2010-10-15 02:30:46 +02:00
|
|
|
);
|
2013-06-08 01:34:58 +02:00
|
|
|
|
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword'));
|
2008-04-26 08:31:52 +02:00
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
|
|
|
|
} else {
|
|
|
|
$this->clearMessage();
|
|
|
|
$this->sessionMessage(
|
2010-10-13 05:36:13 +02:00
|
|
|
_t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"),
|
2007-09-16 02:32:48 +02:00
|
|
|
"bad");
|
2013-06-08 01:34:58 +02:00
|
|
|
|
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere.
|
2014-04-10 07:21:10 +02:00
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword'));
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
}
|
2007-09-16 02:32:48 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|