push(new PasswordField("OldPassword", _t('Member.YOUROLDPASSWORD', "Your old password"))); } $fields->push(new PasswordField("NewPassword1", _t('Member.NEWPASSWORD', "New Password"))); $fields->push(new PasswordField("NewPassword2", _t('Member.CONFIRMNEWPASSWORD', "Confirm New Password"))); } if (!$actions) { $actions = new FieldList( new FormAction("doChangePassword", _t('Member.BUTTONCHANGEPASSWORD', "Change Password")) ); } if (isset($backURL)) { $fields->push(new HiddenField('BackURL', 'BackURL', $backURL)); } parent::__construct($controller, $name, $fields, $actions); } /** * Change the password * * @param array $data The user submitted data * @return HTTPResponse */ public function doChangePassword(array $data) { if ($member = Member::currentUser()) { // The user was logged in, check the current password if (empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->isValid()) { $this->clearMessage(); $this->sessionMessage( _t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad" ); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); return $this->controller->redirect($this->controller->Link('login')); } } // Check the new password if (empty($data['NewPassword1'])) { $this->clearMessage(); $this->sessionMessage( _t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad" ); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } // Fail if passwords do not match if ($data['NewPassword1'] !== $data['NewPassword2']) { $this->clearMessage(); $this->sessionMessage( _t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad" ); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } // Check if the new password is accepted $validationResult = $member->changePassword($data['NewPassword1']); if (!$validationResult->isValid()) { $this->setSessionValidationResult($validationResult); return $this->controller->redirect($this->controller->Link('changepassword')); } // Clear locked out status $member->LockedOutUntil = null; $member->FailedLoginCount = null; $member->write(); if ($member->canLogIn()->isValid()) { $member->logIn(); } // TODO Add confirmation message to login redirect Session::clear('AutoLoginHash'); if (!empty($_REQUEST['BackURL']) // absolute redirection URLs may cause spoofing && Director::is_site_url($_REQUEST['BackURL']) ) { $url = Director::absoluteURL($_REQUEST['BackURL']); return $this->controller->redirect($url); } else { // Redirect to default location - the login form saying "You are logged in as..." $redirectURL = HTTP::setGetVar( 'BackURL', Director::absoluteBaseURL(), $this->controller->Link('login') ); return $this->controller->redirect($redirectURL); } } }