tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

MINOR Separate some areas of logic in LostPasswordHandler to make them more overridable

Browse Source
This commit is contained in:
Robbie Averill 2017-10-04 12:31:36 +13:00
parent 168db412de
commit 6044579a3f
2 changed files with 64 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Security/MemberAuthenticator/ChangePasswordHandler.php
View File

@ -283,7 +283,10 @@ class ChangePasswordHandler extends RequestHandler
// Redirect to backurl
$backURL = $this->getBackURL();
if ($backURL) {
if ($backURL
// Don't redirect back to itself
&& $backURL !== Security::singleton()->Link('changepassword')
) {
return $this->redirect($backURL);
}

80
src/Security/MemberAuthenticator/LostPasswordHandler.php
View File

@ -165,23 +165,14 @@ class LostPasswordHandler extends RequestHandler
*/
public function forgotPassword($data, $form)
{
// Ensure password is given
if (empty($data['Email'])) {
$form->sessionMessage(
_t(
'SilverStripe\\Security\\Member.ENTEREMAIL',
'Please enter an email address to get a password reset link.'
),
'bad'
);
return $this->redirectToLostPassword();
// Run a first pass validation check on the data
$dataValidation = $this->validateForgotPasswordData($data, $form);
if ($dataValidation instanceof HTTPResponse) {
return $dataValidation;
}
// Find existing member
$field = Member::config()->get('unique_identifier_field');
/** @var Member $member */
$member = Member::get()->filter([$field => $data['Email']])->first();
$member = $this->getMemberFromData($data);
// Allow vetoing forgot password requests
$results = $this->extend('forgotPassword', $member);
@ -195,15 +186,45 @@ class LostPasswordHandler extends RequestHandler
$this->sendEmail($member, $token);
}
// Avoid information disclosure by displaying the same status,
// regardless wether the email address actually exists
$link = Controller::join_links(
$this->link('passwordsent'),
rawurlencode($data['Email']),
'/'
return $this->redirectToSuccess($data);
}
/**
* Ensure that the user has provided an email address. Note that the "Email" key is specific to this
* implementation, but child classes can override this method to use another unique identifier field
* for validation.
*
* @param array $data
* @param LostPasswordForm $form
* @return HTTPResponse|null
*/
protected function validateForgotPasswordData(array $data, LostPasswordForm $form)
{
if (empty($data['Email'])) {
$form->sessionMessage(
_t(
'SilverStripe\\Security\\Member.ENTEREMAIL',
'Please enter an email address to get a password reset link.'
),
'bad'
);
return $this->redirect($this->addBackURLParam($link));
return $this->redirectToLostPassword();
}
}
/**
* Load an existing Member from the provided data
*
* @param array $data
* @return Member|null
*/
protected function getMemberFromData(array $data)
{
if (!empty($data['Email'])) {
$uniqueIdentifier = Member::config()->get('unique_identifier_field');
return Member::get()->filter([$uniqueIdentifier => $data['Email']])->first();
}
}
/**
@ -227,4 +248,21 @@ class LostPasswordHandler extends RequestHandler
->setTo($member->Email);
return $email->send();
}
/**
* Avoid information disclosure by displaying the same status, regardless wether the email address actually exists
*
* @param array $data
* @return HTTPResponse
*/
protected function redirectToSuccess(array $data)
{
$link = Controller::join_links(
$this->link('passwordsent'),
rawurlencode($data['Email']),
'/'
);
return $this->redirect($this->addBackURLParam($link));
}
}