From 2b30ade44d333a4da4d13b31ffa28d0a34597442 Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dhensby@silverstripe.com>
Date: Thu, 14 Jul 2016 17:03:52 +0100
Subject: [PATCH] [SS-2016-011] ChangePasswordForm does not check
 $member->canLogin before login

This could be used as a way to circumvent login restrictions by using the change password feature to log users in that are unable to login for reasons other than too many password attempts
---
 security/ChangePasswordForm.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/security/ChangePasswordForm.php b/security/ChangePasswordForm.php
index 5a1f9d868..2459e9c91 100644
--- a/security/ChangePasswordForm.php
+++ b/security/ChangePasswordForm.php
@@ -98,16 +98,19 @@ class ChangePasswordForm extends Form {
 		else if($data['NewPassword1'] == $data['NewPassword2']) {
 			$isValid = $member->changePassword($data['NewPassword1']);
 			if($isValid->valid()) {
-				$member->logIn();
-				
-				// TODO Add confirmation message to login redirect
-				Session::clear('AutoLoginHash');
 
 				// Clear locked out status
 				$member->LockedOutUntil = null;
 				$member->FailedLoginCount = null;
 				$member->write();
-				
+
+				if ($member->canLogIn()->valid()) {
+					$member->logIn();
+				}
+
+				// TODO Add confirmation message to login redirect
+				Session::clear('AutoLoginHash');
+
 				if (!empty($_REQUEST['BackURL'])
 					// absolute redirection URLs may cause spoofing 
 					&& Director::is_site_url($_REQUEST['BackURL'])