From 749d16eba63e3e891281d6407a43887bac3af3b8 Mon Sep 17 00:00:00 2001 From: Marcel Haupt Date: Sun, 10 Dec 2017 15:43:35 +0100 Subject: [PATCH 1/6] Added requirement for user to enter his old password when changing his password, email or name. Also included the AuthException class into Account.php to prevent an error on line 201. --- components/Account.php | 11 +++++++++-- components/account/update.htm | 5 +++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/components/Account.php b/components/Account.php index e1dfc628..d8ac97a6 100644 --- a/components/Account.php +++ b/components/Account.php @@ -11,6 +11,7 @@ use Validator; use ValidationException; use ApplicationException; +use October\Rain\Auth\AuthException; use Cms\Classes\Page; use Cms\Classes\ComponentBase; use RainLab\User\Models\Settings as UserSettings; @@ -346,18 +347,24 @@ public function onUpdate() if (!$user = $this->user()) { return; } + + $data = post(); + + if (!$user->checkHashValue('password', $data['password_old'])) { + throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_deactivation_pass')]); + } if (Input::hasFile('avatar')) { $user->avatar = Input::file('avatar'); } - $user->fill(post()); + $user->fill($data); $user->save(); /* * Password has changed, reauthenticate the user */ - if (strlen(post('password'))) { + if (strlen($data['password'])) { Auth::login($user->reload(), true); } diff --git a/components/account/update.htm b/components/account/update.htm index a294dd0d..b8ac0856 100644 --- a/components/account/update.htm +++ b/components/account/update.htm @@ -19,6 +19,11 @@ + +
+ + +
From b7dab2c9919a097414ce47e913709f582379bad7 Mon Sep 17 00:00:00 2001 From: Marcel Haupt Date: Tue, 12 Dec 2017 09:56:47 +0100 Subject: [PATCH 2/6] Setting for Update Password Requirement added --- components/Account.php | 15 +++++++++++++-- components/account/update.htm | 5 ++++- models/Settings.php | 3 ++- models/settings/fields.yaml | 8 ++++++++ 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/components/Account.php b/components/Account.php index d8ac97a6..f0cae3f5 100644 --- a/components/Account.php +++ b/components/Account.php @@ -71,6 +71,7 @@ public function prepareVars() $this->page['canRegister'] = $this->canRegister(); $this->page['loginAttribute'] = $this->loginAttribute(); $this->page['loginAttributeLabel'] = $this->loginAttributeLabel(); + $this->page['updateRequiresPassword'] = $this->updateRequiresPassword(); } /** @@ -137,6 +138,14 @@ public function loginAttributeLabel() : /*Username*/'rainlab.user::lang.login.attribute_username' ); } + + /** + * Returns the update requires password setting + */ + public function updateRequiresPassword() + { + return UserSettings::get('update_requires_password', false); + } /** * Looks for the activation code from the URL parameter. If nothing @@ -350,8 +359,10 @@ public function onUpdate() $data = post(); - if (!$user->checkHashValue('password', $data['password_old'])) { - throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_deactivation_pass')]); + if ($this->updateRequiresPassword()) { + if (!$user->checkHashValue('password', $data['password_old'])) { + throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_deactivation_pass')]); + } } if (Input::hasFile('avatar')) { diff --git a/components/account/update.htm b/components/account/update.htm index b8ac0856..31237f87 100644 --- a/components/account/update.htm +++ b/components/account/update.htm @@ -20,10 +20,13 @@ + {% if updateRequiresPassword %}
- +
+ + {% endif %} diff --git a/models/Settings.php b/models/Settings.php index 9367e4b1..d3d9c596 100644 --- a/models/Settings.php +++ b/models/Settings.php @@ -31,6 +31,7 @@ public function initSettingsData() $this->block_persistence = false; $this->allow_registration = true; $this->login_attribute = self::LOGIN_EMAIL; + $this->update_requires_password = false; } public function getActivateModeOptions() @@ -58,7 +59,7 @@ public function getLoginAttributeOptions() self::LOGIN_USERNAME => ['rainlab.user::lang.login.attribute_username'] ]; } - + public function getActivateModeAttribute($value) { if (!$value) { diff --git a/models/settings/fields.yaml b/models/settings/fields.yaml index 3dfd9411..b7e710b8 100644 --- a/models/settings/fields.yaml +++ b/models/settings/fields.yaml @@ -27,6 +27,14 @@ tabs: commentAbove: rainlab.user::lang.settings.login_attribute_comment type: radio tab: rainlab.user::lang.settings.signin_tab + + # Update requires Password + update_requires_password: + span: right + label: 'User Settings' + commentAbove: 'Settings update requires current user password' + type: switch + tab: rainlab.user::lang.settings.signin_tab # Require Activation allow_registration: From 044eaa1d5838a7d0faf8c8399b90a9d1e218a239 Mon Sep 17 00:00:00 2001 From: Ben Thomson Date: Thu, 25 Jul 2019 23:26:10 +0800 Subject: [PATCH 3/6] Rename current password field, add note to form --- components/account/update.htm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/components/account/update.htm b/components/account/update.htm index c9655c10..c26563e0 100644 --- a/components/account/update.htm +++ b/components/account/update.htm @@ -19,13 +19,13 @@ - + {% if updateRequiresPassword %} -
- - -
- +

To change these details, please confirm your current password.

+
+ + +
{% endif %} From 17a2b673533bfa1292866026d1fea7039c5ad00a Mon Sep 17 00:00:00 2001 From: Ben Thomson Date: Thu, 25 Jul 2019 23:29:05 +0800 Subject: [PATCH 4/6] Add language for invalid current password --- components/Account.php | 10 +++++----- lang/en/lang.php | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/components/Account.php b/components/Account.php index 7d1adcb4..c59025cf 100644 --- a/components/Account.php +++ b/components/Account.php @@ -139,7 +139,7 @@ public function loginAttributeLabel() : /*Username*/'rainlab.user::lang.login.attribute_username' ); } - + /** * Returns the update requires password setting */ @@ -376,12 +376,12 @@ public function onUpdate() if (!$user = $this->user()) { return; } - + $data = post(); - + if ($this->updateRequiresPassword()) { - if (!$user->checkHashValue('password', $data['password_old'])) { - throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_deactivation_pass')]); + if (!$user->checkHashValue('password', $data['password_current'])) { + throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_current_pass')]); } } diff --git a/lang/en/lang.php b/lang/en/lang.php index cd64dbec..3ac44db5 100644 --- a/lang/en/lang.php +++ b/lang/en/lang.php @@ -172,6 +172,7 @@ 'invalid_user' => 'A user was not found with the given credentials.', 'invalid_activation_code' => 'Invalid activation code supplied.', 'invalid_deactivation_pass' => 'The password you entered was invalid.', + 'invalid_current_pass' => 'The current password you entered was invalid.', 'success_activation' => 'Successfully activated your account.', 'success_deactivation' => 'Successfully deactivated your account. Sorry to see you go!', 'success_saved' => 'Settings successfully saved!', From d98615614455aca0dddd4e1af50eb6e863b08ff6 Mon Sep 17 00:00:00 2001 From: Ben Thomson Date: Thu, 25 Jul 2019 23:37:04 +0800 Subject: [PATCH 5/6] Add lang for current password check --- lang/en/lang.php | 3 +++ models/settings/fields.yaml | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/lang/en/lang.php b/lang/en/lang.php index 3ac44db5..ef4facc3 100644 --- a/lang/en/lang.php +++ b/lang/en/lang.php @@ -71,6 +71,7 @@ 'activation_tab' => 'Activation', 'signin_tab' => 'Sign in', 'registration_tab' => 'Registration', + 'profile_tab' => 'Profile', 'notifications_tab' => 'Notifications', 'allow_registration' => 'Allow user registration', 'allow_registration_comment' => 'If this is disabled users can only be created by administrators.', @@ -97,6 +98,8 @@ 'remember_always' => 'Always', 'remember_never' => 'Never', 'remember_ask' => 'Ask the user on login', + 'update_requires_password' => 'Confirm current password on update', + 'update_requires_password_comment' => 'Require the current password of the user when changing their profile.' ], 'user' => [ 'label' => 'User', diff --git a/models/settings/fields.yaml b/models/settings/fields.yaml index 28ed17bb..470ec100 100644 --- a/models/settings/fields.yaml +++ b/models/settings/fields.yaml @@ -27,14 +27,6 @@ tabs: commentAbove: rainlab.user::lang.settings.login_attribute_comment type: radio tab: rainlab.user::lang.settings.signin_tab - - # Update requires Password - update_requires_password: - span: right - label: 'User Settings' - commentAbove: 'Settings update requires current user password' - type: switch - tab: rainlab.user::lang.settings.signin_tab # Remeber Login Mode remember_login: @@ -76,3 +68,11 @@ tabs: label: rainlab.user::lang.settings.activate_mode type: radio tab: rainlab.user::lang.settings.activation_tab + + # Require current password when editing profile + update_requires_password: + span: left + label: rainlab.user::lang.settings.update_requires_password + commentAbove: rainlab.user::lang.settings.update_requires_password_comment + type: switch + tab: rainlab.user::lang.settings.profile_tab From 05563d30bb45f4c6283f29cc662604b763789e37 Mon Sep 17 00:00:00 2001 From: Ben Thomson Date: Thu, 25 Jul 2019 23:41:26 +0800 Subject: [PATCH 6/6] Focus on current password field if incorrect --- components/Account.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/Account.php b/components/Account.php index c59025cf..9ed31205 100644 --- a/components/Account.php +++ b/components/Account.php @@ -381,7 +381,7 @@ public function onUpdate() if ($this->updateRequiresPassword()) { if (!$user->checkHashValue('password', $data['password_current'])) { - throw new ValidationException(['password' => Lang::get('rainlab.user::lang.account.invalid_current_pass')]); + throw new ValidationException(['password_current' => Lang::get('rainlab.user::lang.account.invalid_current_pass')]); } }