1 <?php
  2 /**
  3  * Standard Change Password Form
  4  * @package sapphire
  5  * @subpackage security
  6  */
  7 class ChangePasswordForm extends Form {
  8 
  9     /**
 10      * Constructor
 11      *
 12      * @param Controller $controller The parent controller, necessary to
 13      *                               create the appropriate form action tag.
 14      * @param string $name The method on the controller that will return this
 15      *                     form object.
 16      * @param FieldSet|FormField $fields All of the fields in the form - a
 17      *                                   {@link FieldSet} of {@link FormField}
 18      *                                   objects.
 19      * @param FieldSet|FormAction $actions All of the action buttons in the
 20      *                                     form - a {@link FieldSet} of
 21      */
 22     function __construct($controller, $name, $fields = null, $actions = null) {
 23         if(isset($_REQUEST['BackURL'])) {
 24             $backURL = $_REQUEST['BackURL'];
 25         } else {
 26             $backURL = Session::get('BackURL');
 27             Session::clear('BackURL');
 28         }
 29         
 30         if(!$fields) {
 31             $fields = new FieldSet();
 32             if(Member::currentUser() && (!isset($_REQUEST['h']) || !Member::member_from_autologinhash($_REQUEST['h']))) {
 33                 $fields->push(new PasswordField("OldPassword",_t('Member.YOUROLDPASSWORD', "Your old password")));
 34             }
 35 
 36             $fields->push(new PasswordField("NewPassword1", _t('Member.NEWPASSWORD', "New Password")));
 37             $fields->push(new PasswordField("NewPassword2", _t('Member.CONFIRMNEWPASSWORD', "Confirm New Password")));
 38         }
 39         if(!$actions) {
 40             $actions = new FieldSet(
 41                 new FormAction("doChangePassword", _t('Member.BUTTONCHANGEPASSWORD', "Change Password"))
 42             );
 43         }
 44 
 45         if(isset($backURL)) {
 46             $fields->push(new HiddenField('BackURL', 'BackURL', $backURL));
 47         }
 48 
 49         parent::__construct($controller, $name, $fields, $actions);
 50     }
 51 
 52 
 53     /**
 54      * Change the password
 55      *
 56      * @param array $data The user submitted data
 57      */
 58     function doChangePassword(array $data) {
 59         if($member = Member::currentUser()) {
 60             // The user was logged in, check the current password
 61             if(empty($data['OldPassword']) || !$member->checkPassword($data['OldPassword'])->valid()) {
 62                 $this->clearMessage();
 63                 $this->sessionMessage(
 64                     _t('Member.ERRORPASSWORDNOTMATCH', "Your current password does not match, please try again"), 
 65                     "bad"
 66                 );
 67                 Director::redirectBack();
 68                 return;
 69             }
 70         }
 71 
 72         if(!$member) {
 73             if(Session::get('AutoLoginHash')) {
 74                 $member = Member::member_from_autologinhash(Session::get('AutoLoginHash'));
 75             }
 76 
 77             // The user is not logged in and no valid auto login hash is available
 78             if(!$member) {
 79                 Session::clear('AutoLoginHash');
 80                 Director::redirect('loginpage');
 81                 return;
 82             }
 83         }
 84 
 85         // Check the new password
 86         if(empty($data['NewPassword1'])) {
 87             $this->clearMessage();
 88             $this->sessionMessage(
 89                 _t('Member.EMPTYNEWPASSWORD', "The new password can't be empty, please try again"),
 90                 "bad");
 91             Director::redirectBack();
 92             return;
 93         }
 94         else if($data['NewPassword1'] == $data['NewPassword2']) {
 95             $isValid = $member->changePassword($data['NewPassword1']);
 96             if($isValid->valid()) {
 97                 $this->clearMessage();
 98                 $this->sessionMessage(
 99                     _t('Member.PASSWORDCHANGED', "Your password has been changed, and a copy emailed to you."),
100                     "good");
101                 Session::clear('AutoLoginHash');
102                 
103                 if (isset($_REQUEST['BackURL']) 
104                     && $_REQUEST['BackURL'] 
105                     // absolute redirection URLs may cause spoofing 
106                     && Director::is_site_url($_REQUEST['BackURL'])
107                 ) {
108                     Director::redirect($_REQUEST['BackURL']);
109                 }
110                 else {
111                     // Redirect to default location - the login form saying "You are logged in as..."
112                     $redirectURL = HTTP::setGetVar('BackURL', urlencode(Director::absoluteBaseURL()), Security::Link('login'));
113                     Director::redirect($redirectURL);                   
114                 }
115             } else {
116                 $this->clearMessage();
117                 $this->sessionMessage(
118                     _t('Member.INVALIDNEWPASSWORD', "We couldn't accept that password: %s", nl2br("\n".$isValid->starredList())), 
119                     "bad");
120                 Director::redirectBack();
121             }
122 
123         } else {
124             $this->clearMessage();
125             $this->sessionMessage(
126                 _t('Member.ERRORNEWPASSWORD', "You have entered your new password differently, try again"),
127                 "bad");
128             Director::redirectBack();
129         }
130     }
131 
132 }
133 
134 ?>