Allow configuration of a minimum password length, unify password reset
interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
This commit is contained in:
epriestley
@@ -81,11 +81,17 @@ class PhabricatorEmailTokenController extends PhabricatorAuthController {
|
||||
$request->setCookie('phusr', $target_user->getUsername());
|
||||
$request->setCookie('phsid', $session_key);
|
||||
|
||||
if (PhabricatorEnv::getEnvConfig('account.editable')) {
|
||||
$next = '/settings/page/password/?token='.$token;
|
||||
} else {
|
||||
$next = '/';
|
||||
}
|
||||
|
||||
$uri = new PhutilURI('/login/validate/');
|
||||
$uri->setQueryParams(
|
||||
array(
|
||||
'phusr' => $target_user->getUsername(),
|
||||
'next' => '/login/reset/',
|
||||
'next' => $next,
|
||||
));
|
||||
|
||||
return id(new AphrontRedirectResponse())
|
||||
|
||||
@@ -1,108 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* Copyright 2012 Facebook, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
class PhabricatorResetPasswordController extends PhabricatorAuthController {
|
||||
|
||||
public function processRequest() {
|
||||
$request = $this->getRequest();
|
||||
$user = $request->getUser();
|
||||
|
||||
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
|
||||
return new Aphront400Response();
|
||||
}
|
||||
|
||||
$errors = array();
|
||||
|
||||
$e_pass = true;
|
||||
$e_confirm = true;
|
||||
|
||||
if ($request->isFormPost()) {
|
||||
$e_pass = 'Error';
|
||||
$e_confirm = 'Error';
|
||||
|
||||
$pass = $request->getStr('password');
|
||||
$confirm = $request->getStr('confirm');
|
||||
|
||||
if (strlen($pass) < 3) {
|
||||
$errors[] = 'That password is ridiculously short.';
|
||||
}
|
||||
|
||||
if ($pass !== $confirm) {
|
||||
$errors[] = "Passwords do not match.";
|
||||
}
|
||||
|
||||
if (!$errors) {
|
||||
|
||||
// The CSRF token depends on the user's password hash. When we change
|
||||
// it, we cause the CSRF check to fail. We don't need to do a CSRF
|
||||
// check here because we've already performed one in the isFormPost()
|
||||
// call earlier.
|
||||
|
||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
||||
$user->setPassword($pass);
|
||||
$user->save();
|
||||
unset($unguarded);
|
||||
|
||||
return id(new AphrontRedirectResponse())
|
||||
->setURI('/');
|
||||
}
|
||||
}
|
||||
|
||||
if ($errors) {
|
||||
$error_view = new AphrontErrorView();
|
||||
$error_view->setTitle('Password Reset Failed');
|
||||
$error_view->setErrors($errors);
|
||||
} else {
|
||||
$error_view = null;
|
||||
}
|
||||
|
||||
$form = new AphrontFormView();
|
||||
$form
|
||||
->setUser($user)
|
||||
->setAction('/login/reset/')
|
||||
->appendChild(
|
||||
id(new AphrontFormPasswordControl())
|
||||
->setLabel('New Password')
|
||||
->setName('password')
|
||||
->setError($e_pass))
|
||||
->appendChild(
|
||||
id(new AphrontFormPasswordControl())
|
||||
->setLabel('Confirm Password')
|
||||
->setName('confirm')
|
||||
->setError($e_confirm))
|
||||
->appendChild(
|
||||
id(new AphrontFormSubmitControl())
|
||||
->setValue('Reset Password')
|
||||
->addCancelButton('/', 'Skip'));
|
||||
|
||||
$panel = new AphrontPanelView();
|
||||
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
||||
$panel->setHeader('Reset Password');
|
||||
$panel->appendChild($form);
|
||||
|
||||
return $this->buildStandardPageResponse(
|
||||
array(
|
||||
$error_view,
|
||||
$panel,
|
||||
),
|
||||
array(
|
||||
'title' => 'Reset Password',
|
||||
));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
<?php
|
||||
/**
|
||||
* This file is automatically generated. Lint this module to rebuild it.
|
||||
* @generated
|
||||
*/
|
||||
|
||||
|
||||
|
||||
phutil_require_module('phabricator', 'aphront/response/400');
|
||||
phutil_require_module('phabricator', 'aphront/response/redirect');
|
||||
phutil_require_module('phabricator', 'aphront/writeguard');
|
||||
phutil_require_module('phabricator', 'applications/auth/controller/base');
|
||||
phutil_require_module('phabricator', 'infrastructure/env');
|
||||
phutil_require_module('phabricator', 'view/form/base');
|
||||
phutil_require_module('phabricator', 'view/form/control/password');
|
||||
phutil_require_module('phabricator', 'view/form/control/submit');
|
||||
phutil_require_module('phabricator', 'view/form/error');
|
||||
phutil_require_module('phabricator', 'view/layout/panel');
|
||||
|
||||
phutil_require_module('phutil', 'utils');
|
||||
|
||||
|
||||
phutil_require_source('PhabricatorResetPasswordController.php');
|
||||
Reference in New Issue
Block a user