|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace SilverStripe\ActiveDirectory\Forms; |
|
4
|
|
|
|
|
5
|
|
|
use Exception; |
|
6
|
|
|
use SilverStripe\Control\Director; |
|
7
|
|
|
use SilverStripe\Control\HTTP; |
|
8
|
|
|
use SilverStripe\Control\Session; |
|
9
|
|
|
use SilverStripe\Core\Config\Config; |
|
10
|
|
|
use SilverStripe\Core\Injector\Injector; |
|
11
|
|
|
use SilverStripe\Forms\TextField; |
|
12
|
|
|
use SilverStripe\Security\ChangePasswordForm; |
|
13
|
|
|
use SilverStripe\Security\Member; |
|
14
|
|
|
|
|
15
|
|
|
/** |
|
16
|
|
|
* @package activedirectory |
|
17
|
|
|
*/ |
|
18
|
|
|
class LDAPChangePasswordForm extends ChangePasswordForm |
|
19
|
|
|
{ |
|
20
|
|
|
/** |
|
21
|
|
|
* The sole purpose for overriding the constructor is surfacing the username to the user. |
|
22
|
|
|
*/ |
|
23
|
|
|
public function __construct($controller, $name, $fields = null, $actions = null) |
|
24
|
|
|
{ |
|
25
|
|
|
parent::__construct($controller, $name, $fields, $actions); |
|
26
|
|
|
|
|
27
|
|
|
// Obtain the Member object. If the user got this far, they must have already been synced. |
|
28
|
|
|
$member = Member::currentUser(); |
|
29
|
|
View Code Duplication |
if (!$member) { |
|
|
|
|
|
|
30
|
|
|
if (Session::get('AutoLoginHash')) { |
|
31
|
|
|
$member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); |
|
32
|
|
|
} |
|
33
|
|
|
|
|
34
|
|
|
// The user is not logged in and no valid auto login hash is available |
|
35
|
|
|
if (!$member) { |
|
36
|
|
|
Session::clear('AutoLoginHash'); |
|
37
|
|
|
return $this->controller->redirect($this->controller->Link('login')); |
|
|
|
|
|
|
38
|
|
|
} |
|
39
|
|
|
} |
|
40
|
|
|
|
|
41
|
|
|
$data = Injector::inst() |
|
42
|
|
|
->get('SilverStripe\\ActiveDirectory\\Services\\LDAPService') |
|
43
|
|
|
->getUserByGUID($member->GUID, ['samaccountname']); |
|
44
|
|
|
|
|
45
|
|
|
$emailField = null; |
|
46
|
|
|
$usernameField = null; |
|
47
|
|
|
if (Config::inst()->get('SilverStripe\\ActiveDirectory\\Authenticators\\LDAPAuthenticator', 'allow_email_login') === 'yes' |
|
48
|
|
|
&& !empty($member->Email) |
|
49
|
|
|
) { |
|
50
|
|
|
$emailField = TextField::create( |
|
51
|
|
|
'Email', |
|
52
|
|
|
_t('LDAPLoginForm.USERNAMEOREMAIL', 'Email'), |
|
53
|
|
|
$member->Email, |
|
54
|
|
|
null, |
|
55
|
|
|
$this |
|
56
|
|
|
); |
|
57
|
|
|
} |
|
58
|
|
|
if (!empty($data['samaccountname'])) { |
|
59
|
|
|
$usernameField = TextField::create( |
|
60
|
|
|
'Username', |
|
61
|
|
|
_t('LDAPLoginForm.USERNAME', 'Username'), |
|
62
|
|
|
$data['samaccountname'], |
|
63
|
|
|
null, |
|
64
|
|
|
$this |
|
65
|
|
|
); |
|
66
|
|
|
} |
|
67
|
|
|
|
|
68
|
|
|
if ($emailField) { |
|
69
|
|
|
$emailFieldReadonly = $emailField->performDisabledTransformation(); |
|
70
|
|
|
$this->Fields()->unshift($emailFieldReadonly); |
|
71
|
|
|
} |
|
72
|
|
|
if ($usernameField) { |
|
73
|
|
|
$usernameFieldReadonly = $usernameField->performDisabledTransformation(); |
|
74
|
|
|
$this->Fields()->unshift($usernameFieldReadonly); |
|
75
|
|
|
} |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
/** |
|
79
|
|
|
* Change the password |
|
80
|
|
|
* |
|
81
|
|
|
* @param array $data The user submitted data |
|
82
|
|
|
* @return HTTPResponse |
|
83
|
|
|
*/ |
|
84
|
|
|
public function doChangePassword(array $data) |
|
|
|
|
|
|
85
|
|
|
{ |
|
86
|
|
|
/** |
|
87
|
|
|
* @var LDAPService $service |
|
88
|
|
|
*/ |
|
89
|
|
|
$service = Injector::inst()->get('SilverStripe\\ActiveDirectory\\Services\\LDAPService'); |
|
90
|
|
|
$member = Member::currentUser(); |
|
91
|
|
|
if ($member) { |
|
92
|
|
|
try { |
|
93
|
|
|
$userData = $service->getUserByGUID($member->GUID); |
|
94
|
|
|
} catch (Exception $e) { |
|
95
|
|
|
Injector::inst()->get('Logger')->error($e->getMessage()); |
|
96
|
|
|
|
|
97
|
|
|
$this->clearMessage(); |
|
98
|
|
|
$this->sessionMessage( |
|
99
|
|
|
_t( |
|
100
|
|
|
'LDAPAuthenticator.NOUSER', |
|
101
|
|
|
'Your account hasn\'t been setup properly, please contact an administrator.' |
|
102
|
|
|
), |
|
103
|
|
|
'bad' |
|
104
|
|
|
); |
|
105
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword')); |
|
106
|
|
|
} |
|
107
|
|
|
$loginResult = $service->authenticate($userData['samaccountname'], $data['OldPassword']); |
|
108
|
|
View Code Duplication |
if (!$loginResult['success']) { |
|
|
|
|
|
|
109
|
|
|
$this->clearMessage(); |
|
110
|
|
|
$this->sessionMessage( |
|
111
|
|
|
_t('Member.ERRORPASSWORDNOTMATCH', 'Your current password does not match, please try again'), |
|
112
|
|
|
'bad' |
|
113
|
|
|
); |
|
114
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere. |
|
115
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword')); |
|
116
|
|
|
} |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
View Code Duplication |
if (!$member) { |
|
|
|
|
|
|
120
|
|
|
if (Session::get('AutoLoginHash')) { |
|
121
|
|
|
$member = Member::member_from_autologinhash(Session::get('AutoLoginHash')); |
|
122
|
|
|
} |
|
123
|
|
|
|
|
124
|
|
|
// The user is not logged in and no valid auto login hash is available |
|
125
|
|
|
if (!$member) { |
|
126
|
|
|
Session::clear('AutoLoginHash'); |
|
127
|
|
|
return $this->controller->redirect($this->controller->Link('login')); |
|
128
|
|
|
} |
|
129
|
|
|
} |
|
130
|
|
|
|
|
131
|
|
|
// Check the new password |
|
132
|
|
|
if (empty($data['NewPassword1'])) { |
|
133
|
|
|
$this->clearMessage(); |
|
134
|
|
|
$this->sessionMessage( |
|
135
|
|
|
_t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"), |
|
136
|
|
|
'bad' |
|
137
|
|
|
); |
|
138
|
|
|
|
|
139
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere. |
|
140
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword')); |
|
141
|
|
|
} elseif ($data['NewPassword1'] == $data['NewPassword2']) { |
|
142
|
|
|
// Providing OldPassword to perform password _change_ operation. This will respect the |
|
143
|
|
|
// password history policy. Unfortunately we cannot support password history policy on password _reset_ |
|
144
|
|
|
// at the moment, which means it will not be enforced on SilverStripe-driven email password reset. |
|
145
|
|
|
$oldPassword = !empty($data['OldPassword']) ? $data['OldPassword']: null; |
|
146
|
|
|
|
|
147
|
|
|
/** @var ValidationResult $validationResult */ |
|
148
|
|
|
$validationResult = $service->setPassword($member, $data['NewPassword1'], $oldPassword); |
|
149
|
|
|
|
|
150
|
|
|
// try to catch connection and other errors that the ldap service can through |
|
151
|
|
|
if ($validationResult->isValid()) { |
|
152
|
|
|
$member->logIn(); |
|
153
|
|
|
|
|
154
|
|
|
Session::clear('AutoLoginHash'); |
|
155
|
|
|
|
|
156
|
|
|
// Clear locked out status |
|
157
|
|
|
$member->LockedOutUntil = null; |
|
158
|
|
|
$member->FailedLoginCount = null; |
|
159
|
|
|
$member->write(); |
|
160
|
|
|
|
|
161
|
|
|
if (!empty($_REQUEST['BackURL']) |
|
162
|
|
|
// absolute redirection URLs may cause spoofing |
|
163
|
|
|
&& Director::is_site_url($_REQUEST['BackURL']) |
|
164
|
|
|
) { |
|
165
|
|
|
$url = Director::absoluteURL($_REQUEST['BackURL']); |
|
166
|
|
|
return $this->controller->redirect($url); |
|
|
|
|
|
|
167
|
|
|
} else { |
|
168
|
|
|
// Redirect to default location - the login form saying "You are logged in as..." |
|
169
|
|
|
$redirectURL = HTTP::setGetVar( |
|
170
|
|
|
'BackURL', |
|
171
|
|
|
Director::absoluteBaseURL(), |
|
|
|
|
|
|
172
|
|
|
$this->controller->Link('login') |
|
173
|
|
|
); |
|
174
|
|
|
return $this->controller->redirect($redirectURL); |
|
175
|
|
|
} |
|
176
|
|
|
} else { |
|
177
|
|
|
$this->clearMessage(); |
|
178
|
|
|
$messages = implode('. ', array_column($validationResult->getMessages(), 'message')); |
|
179
|
|
|
$this->sessionMessage($messages, 'bad'); |
|
180
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere. |
|
181
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword')); |
|
182
|
|
|
} |
|
183
|
|
View Code Duplication |
} else { |
|
|
|
|
|
|
184
|
|
|
$this->clearMessage(); |
|
185
|
|
|
$this->sessionMessage( |
|
186
|
|
|
_t('Member.ERRORNEWPASSWORD', 'You have entered your new password differently, try again'), |
|
187
|
|
|
'bad' |
|
188
|
|
|
); |
|
189
|
|
|
|
|
190
|
|
|
// redirect back to the form, instead of using redirectBack() which could send the user elsewhere. |
|
191
|
|
|
return $this->controller->redirect($this->controller->Link('changepassword')); |
|
192
|
|
|
} |
|
193
|
|
|
} |
|
194
|
|
|
} |
|
195
|
|
|
|
silverstripe /
silverstripe-activedirectory
Loading history...
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.