Source of file LDAPChangePasswordForm.php
Size: 6,860 Bytes - Last Modified: 2021-12-23T10:27:14+00:00
/var/www/docs.ssmods.com/process/src/code/forms/LDAPChangePasswordForm.php
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 | <?php class LDAPChangePasswordForm extends ChangePasswordForm { /** * The sole purpose for overriding the constructor is surfacing the username to the user. */ public function __construct($controller, $name, $fields = null, $actions = null) { parent::__construct($controller, $name, $fields, $actions); // Obtain the Member object. If the user got this far, they must have already been synced. $member = Member::currentUser(); if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); return $this->controller->redirect($this->controller->Link('login')); } } $data = Injector::inst()->get('LDAPService')->getUserByGUID($member->GUID, ['samaccountname']); $emailField = null; $usernameField = null; if (Config::inst()->get('LDAPAuthenticator', 'allow_email_login')==='yes' && !empty($member->Email)) { $emailField = new TextField('Email', _t('LDAPLoginForm.USERNAMEOREMAIL', 'Email'), $member->Email, null, $this); } if (!empty($data['samaccountname'])) { $usernameField = new TextField('Username', _t('LDAPLoginForm.USERNAME', 'Username'), $data['samaccountname'], null, $this); } if ($emailField) { $emailFieldReadonly = $emailField->performDisabledTransformation(); $this->Fields()->unshift($emailFieldReadonly); } if ($usernameField) { $usernameFieldReadonly = $usernameField->performDisabledTransformation(); $this->Fields()->unshift($usernameFieldReadonly); } } /** * Change the password * * @param array $data The user submitted data * @return SS_HTTPResponse */ public function doChangePassword(array $data) { /** * @var LDAPService $service */ $service = Injector::inst()->get('LDAPService'); $member = Member::currentUser(); if ($member) { try { $userData = $service->getUserByGUID($member->GUID); } catch (Exception $e) { SS_Log::log($e->getMessage(), SS_Log::ERR); $this->clearMessage(); $this->sessionMessage( _t('LDAPAuthenticator.NOUSER', 'Your account hasn\'t been setup properly, please contact an administrator.'), 'bad' ); return $this->controller->redirect($this->controller->Link('changepassword')); } $loginResult = $service->authenticate($userData['samaccountname'], $data['OldPassword']); if (!$loginResult['success']) { $this->clearMessage(); $this->sessionMessage( _t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), "bad" ); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } if (!$member) { if (Session::get('AutoLoginHash')) { $member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); } // The user is not logged in and no valid auto login hash is available if (!$member) { Session::clear('AutoLoginHash'); return $this->controller->redirect($this->controller->Link('login')); } } // Check the new password if (empty($data['NewPassword1'])) { $this->clearMessage(); $this->sessionMessage( _t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } elseif ($data['NewPassword1'] == $data['NewPassword2']) { // Providing OldPassword to perform password _change_ operation. This will respect the // password history policy. Unfortunately we cannot support password history policy on password _reset_ // at the moment, which means it will not be enforced on SilverStripe-driven email password reset. $oldPassword = !empty($data['OldPassword']) ? $data['OldPassword']: null; $isValid = $service->setPassword($member, $data['NewPassword1'], $oldPassword); // try to catch connection and other errors that the ldap service can through if ($isValid->valid()) { $member->logIn(); Session::clear('AutoLoginHash'); // Clear locked out status $member->LockedOutUntil = null; $member->FailedLoginCount = null; $member->write(); if (!empty($_REQUEST['BackURL']) // absolute redirection URLs may cause spoofing && Director::is_site_url($_REQUEST['BackURL']) ) { $url = Director::absoluteURL($_REQUEST['BackURL']); return $this->controller->redirect($url); } else { // Redirect to default location - the login form saying "You are logged in as..." $redirectURL = HTTP::setGetVar( 'BackURL', Director::absoluteBaseURL(), $this->controller->Link('login') ); return $this->controller->redirect($redirectURL); } } else { $this->clearMessage(); $this->sessionMessage($isValid->message(), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } else { $this->clearMessage(); $this->sessionMessage( _t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"), "bad"); // redirect back to the form, instead of using redirectBack() which could send the user elsewhere. return $this->controller->redirect($this->controller->Link('changepassword')); } } } |