Skip to content

Commit

Permalink
refactored YumRegistrationController#actionRecovery() a lot - now use…
Browse files Browse the repository at this point in the history 
…s CPasswordHelper::hashPassword() instead md5()
  • Loading branch information
@thyseus
thyseus committed Jan 30, 2015
1 parent 393b21e commit 447fc1b
Show file tree
Hide file tree
Showing 2 changed files with 100 additions and 83 deletions.
172 changes: 94 additions & 78 deletions modules/registration/controllers/YumRegistrationController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public function actionRegistration() {
$profile->attributes = $_POST['YumProfile'];

if(Yum::module('registration')->registration_by_email)
$form->username = $profile->email;
$form->username = $profile->email;

$form->validate();
$profile->validate();
Expand All @@ -110,7 +110,7 @@ public function actionRegistration() {
);
}

// Send the Email to the given user object.
// Send the Email to the given user object.
// $user->profile->email needs to be set.
public function sendRegistrationEmail($user) {
if (!isset($user->profile->email))
Expand Down Expand Up @@ -173,90 +173,106 @@ public function actionActivation($email, $key) {
* password.
*/
public function actionRecovery($email = null, $key = null) {
if ($email != null && $key != null)
$this->recoverUser($email, $key);
else
$this->showRecoveryForm($email, $key);
}

protected function showRecoveryForm($email, $key) {
$form = new YumPasswordRecoveryForm;

if ($email != null && $key != null) {
if($profile = YumProfile::model()->find('email = :email', array(
'email' => $email))) {
$user = $profile->user;
if($user->status <= 0)
if (isset($_POST['YumPasswordRecoveryForm'])) {
$form->attributes = $_POST['YumPasswordRecoveryForm'];

if ($form->validate()) {
if($form->user instanceof YumUser) {
if($form->user->status <= 0)
throw new CHttpException(403, 'User is not active');
else if($user->activationKey == $key) {
$passwordform = new YumUserChangePassword;
if (isset($_POST['YumUserChangePassword'])) {
$passwordform->attributes = $_POST['YumUserChangePassword'];
if ($passwordform->validate()) {
$user->setPassword($passwordform->password);
$user->activationKey = CPasswordHelper::hashPassword(
microtime() . $passwordform->password,
Yum::module()->passwordHashCost);
$user->save();
Yum::setFlash('Your new password has been saved.');
if(Yum::module('registration')->loginAfterSuccessfulRecovery) {
$login = new YumUserIdentity($user->username, false);
$login->authenticate(true);
Yii::app()->user->login($login);
$this->redirect(Yii::app()->homeUrl);
}
else {
$this->redirect(Yum::module()->loginUrl);
}
}
}
$this->render(
Yum::module('registration')->changePasswordView, array(
'form' => $passwordform));
Yii::app()->end();
} else {
$form->addError('login_or_email', Yum::t('Invalid recovery key'));
Yum::log(Yum::t(
'Someone tried to recover a password, but entered a wrong recovery key. Email is {email}, associated user is {username} (id: {uid})', array(
'{email}' => $email,
'{uid}' => $user->id,
'{username}' => $user->username)));
$form->user->generateActivationKey();

$recovery_url = $this->createAbsoluteUrl(
Yum::module('registration')->recoveryUrl[0], array(
'key' => urlencode($form->user->activationKey),
'email' => $form->user->profile->email));

Yum::log(Yum::t(
'{username} successfully requested a new password in the password recovery form. A email with the password recovery url {recovery_url} has been sent to {email}', array(
'{email}' => $form->user->profile->email,
'{recovery_url}' => $recovery_url,
'{username}' => $form->user->username)));

$mail = array(
'from' => Yii::app()->params['adminEmail'],
'to' => $form->user->profile->email,
'subject' => 'You requested a new password',
'body' => strtr(
'You have requested a new password. Please use this URL to continue: {recovery_url}', array(
'{recovery_url}' => $recovery_url)),
);
$sent = YumMailer::send($mail);
Yum::setFlash(
'Instructions have been sent to you. Please check your email.');
} else
Yum::log(Yum::t(
'A password has been requested, but no associated user was found in the database. Requested user/email is: {username}', array(
'{username}' => $form->login_or_email)));
$this->redirect(Yum::module()->loginUrl);
}
}
$this->render(Yum::module('registration')->recoverPasswordView, array(
'form' => $form));
}

protected function recoverUser($email, $key) {
$form = new YumPasswordRecoveryForm;

$profile = YumProfile::model()->find('email = :email', array('email' => $email));

if(!$profile)
throw new CHttpException(404, 'Invalid recovery key');

$user = $profile->user;

if($user->status <= 0)
throw new CHttpException(403, 'User is not active');

if($user->activationKey == urldecode($key)) {
$passwordform = new YumUserChangePassword;
if (isset($_POST['YumUserChangePassword'])) {
$passwordform->attributes = $_POST['YumUserChangePassword'];
if ($passwordform->validate()) {
$user->setPassword($passwordform->password);
$user->activationKey = CPasswordHelper::hashPassword(
microtime() . $passwordform->password,
Yum::module()->passwordHashCost);
$user->save();
Yum::setFlash('Your new password has been saved.');
if(Yum::module('registration')->loginAfterSuccessfulRecovery) {
$login = new YumUserIdentity($user->username, false);
$login->authenticate(true);
Yii::app()->user->login($login);
$this->redirect(Yii::app()->homeUrl);
}
else {
$this->redirect(Yum::module()->loginUrl);
}
}
} else {
if (isset($_POST['YumPasswordRecoveryForm'])) {
$form->attributes = $_POST['YumPasswordRecoveryForm'];

if ($form->validate()) {
if($form->user instanceof YumUser) {
if($form->user->status <= 0)
throw new CHttpException(403, 'User is not active');
$form->user->generateActivationKey();
$recovery_url = $this->createAbsoluteUrl(
Yum::module('registration')->recoveryUrl[0], array(
'key' => $form->user->activationKey,
'email' => $form->user->profile->email));

Yum::log(Yum::t(
'{username} successfully requested a new password in the password recovery form. A email with the password recovery url {recovery_url} has been sent to {email}', array(
'{email}' => $form->user->profile->email,
'{recovery_url}' => $recovery_url,
'{username}' => $form->user->username)));

$mail = array(
'from' => Yii::app()->params['adminEmail'],
'to' => $form->user->profile->email,
'subject' => 'You requested a new password',
'body' => strtr(
'You have requested a new password. Please use this URL to continue: {recovery_url}', array(
'{recovery_url}' => $recovery_url)),
);
$sent = YumMailer::send($mail);
Yum::setFlash(
'Instructions have been sent to you. Please check your email.');
} else
Yum::log(Yum::t(
'A password has been requested, but no associated user was found in the database. Requested user/email is: {username}', array(
'{username}' => $form->login_or_email)));
$this->redirect(Yum::module()->loginUrl);
}
}
$this->render(
Yum::module('registration')->changePasswordView, array(
'form' => $passwordform));
Yii::app()->end();
} else {
$form->addError('login_or_email', Yum::t('Invalid recovery key'));

Yum::log(Yum::t(
'Someone tried to recover a password, but entered a wrong recovery key: {user}, {profile}', array(
'{user}' => json_encode($user->attributes),
'{profile}' => json_encode($profile->attributes))));
}

$this->render(Yum::module('registration')->recoverPasswordView, array(
'form' => $form));

}
}
11 changes: 6 additions & 5 deletions modules/user/models/YumUser.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,13 +576,13 @@ public function register($username = null,
return false;
}

public function getActivationUrl()
{
public function getActivationUrl() {
/**
* Quick check for a enabled Registration Module
*/
if (Yum::hasModule('registration')) {
$activationUrl = Yum::module('registration')->activationUrl;

if (is_array($activationUrl) && isset($this->profile)) {
$activationUrl = $activationUrl[0];
$params['email'] = $this->profile->email;
Expand Down Expand Up @@ -648,8 +648,7 @@ public static function activate($email, $key) {

/**
* @params boolean $activate Whether to generate activation key when user is
* registering first time (false)
* or when it is activating (true)
* registering first time (false) or when it is activating (true)
* @params string $password password entered by user
* @param array $params, optional, to allow passing values outside class in inherited classes
* By default it uses password and microtime combination to generated activation key
Expand All @@ -661,7 +660,9 @@ public function generateActivationKey($activate = false) {
$this->activationKey = $activate;
$this->save(false, array('activationKey'));
} else
$this->activationKey = md5sum(microtime() . $this->password, Yum::module()->passwordHashCost);
$this->activationKey = CPasswordHelper::hashPassword(
microtime() . $this->password, Yum::module()->passwordHashCost);

if(!$this->isNewRecord)
$this->save(false, array('activationKey'));

Expand Down

0 comments on commit 447fc1b

Please sign in to comment.