From 560fe9820a51eb3001dafdc1e34806434392a3e3 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Tue, 26 Jun 2018 13:29:59 +0100 Subject: [PATCH] FIX remove personal information from password reset confirmation screen --- lang/en.yml | 4 +-- .../LostPasswordHandler.php | 30 +++++-------------- tests/php/Security/MemberTest.php | 2 +- 3 files changed, 11 insertions(+), 25 deletions(-) diff --git a/lang/en.yml b/lang/en.yml index 56654a39d..6e3bdd7cb 100644 --- a/lang/en.yml +++ b/lang/en.yml @@ -325,5 +325,5 @@ en: NOTEPAGESECURED: 'That page is secured. Enter your credentials below and we will send you right along.' NOTERESETLINKINVALID: '

The password reset link is invalid or expired.

You can request a new one here or change your password after you logged in.

' NOTERESETPASSWORD: 'Enter your e-mail address and we will send you a link with which you can reset your password' - PASSWORDSENTHEADER: 'Password reset link sent to ''{email}''' - PASSWORDSENTTEXT: 'Thank you! A reset link has been sent to ''{email}'', provided an account exists for this email address.' + PASSWORDRESETSENTHEADER: 'Password reset link sent' + PASSWORDRESETSENTTEXT: 'Thank you. A reset link has been sent, provided an account exists for this email address.' diff --git a/src/Security/MemberAuthenticator/LostPasswordHandler.php b/src/Security/MemberAuthenticator/LostPasswordHandler.php index 5086e525c..dfd8aeebc 100644 --- a/src/Security/MemberAuthenticator/LostPasswordHandler.php +++ b/src/Security/MemberAuthenticator/LostPasswordHandler.php @@ -27,8 +27,8 @@ class LostPasswordHandler extends RequestHandler * @var array */ private static $url_handlers = [ - 'passwordsent/$EmailAddress' => 'passwordsent', - '' => 'lostpassword', + 'passwordsent' => 'passwordsent', + '' => 'lostpassword', ]; /** @@ -101,27 +101,17 @@ class LostPasswordHandler extends RequestHandler */ public function passwordsent() { - $request = $this->getRequest(); - $email = Convert::raw2xml(rawurldecode($request->param('EmailAddress'))); - if ($request->getExtension()) { - $email = $email . '.' . Convert::raw2xml($request->getExtension()); - } - $message = _t( - 'SilverStripe\\Security\\Security.PASSWORDSENTTEXT', - "Thank you! A reset link has been sent to '{email}', provided an account exists for this email" - . " address.", - ['email' => Convert::raw2xml($email)] + 'SilverStripe\\Security\\Security.PASSWORDRESETSENTTEXT', + "Thank you. A reset link has been sent, provided an account exists for this email address." ); return [ - 'Title' => _t( - 'SilverStripe\\Security\\Security.PASSWORDSENTHEADER', - "Password reset link sent to '{email}'", - array('email' => $email) + 'Title' => _t( + 'SilverStripe\\Security\\Security.PASSWORDRESETSENTHEADER', + "Password reset link sent" ), 'Content' => DBField::create_field('HTMLFragment', "

$message

"), - 'Email' => $email ]; } @@ -263,11 +253,7 @@ class LostPasswordHandler extends RequestHandler */ protected function redirectToSuccess(array $data) { - $link = Controller::join_links( - $this->Link('passwordsent'), - rawurlencode($data['Email']), - '/' - ); + $link = $this->link('passwordsent'); return $this->redirect($this->addBackURLParam($link)); } diff --git a/tests/php/Security/MemberTest.php b/tests/php/Security/MemberTest.php index 53bb4883c..942b732b0 100644 --- a/tests/php/Security/MemberTest.php +++ b/tests/php/Security/MemberTest.php @@ -239,7 +239,7 @@ class MemberTest extends FunctionalTest // We should get redirected to Security/passwordsent $this->assertContains( - 'Security/lostpassword/passwordsent/testuser@example.com', + 'Security/lostpassword/passwordsent', urldecode($response->getHeader('Location')) );