revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 18:32:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/settings/panel/PhabricatorUserPasswordSettingsPanelController.php

171 lines
5 KiB
PHP
Raw Normal View History

Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
<?php
/*
Add "final" to all Phabricator "Controller" classes Summary: These are all unambiguously unextensible. Issues I hit: - Maniphest Change/Diff controllers, just consolidated them. - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects. - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962. Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues. Reviewers: btrahan Reviewed By: btrahan CC: aran, epriestley Maniphest Tasks: T795 Differential Revision: https://secure.phabricator.com/D1843
2012-03-10 00:46:25 +01:00
* Copyright 2012 Facebook, Inc.
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Add "final" to all Phabricator "Controller" classes Summary: These are all unambiguously unextensible. Issues I hit: - Maniphest Change/Diff controllers, just consolidated them. - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects. - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962. Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues. Reviewers: btrahan Reviewed By: btrahan CC: aran, epriestley Maniphest Tasks: T795 Differential Revision: https://secure.phabricator.com/D1843
2012-03-10 00:46:25 +01:00
final class PhabricatorUserPasswordSettingsPanelController
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
extends PhabricatorUserSettingsPanelController {
public function processRequest() {
$request = $this->getRequest();
$user = $request->getUser();
$editable = $this->getAccountEditable();
// There's no sense in showing a change password panel if the user
// can't change their password
if (!$editable ||
!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
return new Aphront400Response();
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
$min_len = (int)$min_len;
// NOTE: To change your password, you need to prove you own the account,
// either by providing the old password or by carrying a token to
// the workflow from a password reset email.
$token = $request->getStr('token');
Allow users to have multiple email addresses, and verify emails Summary: - Move email to a separate table. - Migrate existing email to new storage. - Allow users to add and remove email addresses. - Allow users to verify email addresses. - Allow users to change their primary email address. - Convert all the registration/reset/login code to understand these changes. - There are a few security considerations here but I think I've addressed them. Principally, it is important to never let a user acquire a verified email address they don't actually own. We ensure this by tightening the scoping of token generation rules to be (user, email) specific. - This should have essentially zero impact on Facebook, but may require some minor changes in the registration code -- I don't exactly remember how it is set up. Not included here (next steps): - Allow configuration to restrict email to certain domains. - Allow configuration to require validated email. Test Plan: This is a fairly extensive, difficult-to-test change. - From "Email Addresses" interface: - Added new email (verified email verifications sent). - Changed primary email (verified old/new notificactions sent). - Resent verification emails (verified they sent). - Removed email. - Tried to add already-owned email. - Created new users with "accountadmin". Edited existing users with "accountadmin". - Created new users with "add_user.php". - Created new users with web interface. - Clicked welcome email link, verified it verified email. - Reset password. - Linked/unlinked oauth accounts. - Logged in with oauth account. - Logged in with email. - Registered with Oauth account. - Tried to register with OAuth account with duplicate email. - Verified errors for email verification with bad tokens, etc. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2393
2012-05-07 19:29:33 +02:00
$valid_token = false;
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
if ($token) {
Allow users to have multiple email addresses, and verify emails Summary: - Move email to a separate table. - Migrate existing email to new storage. - Allow users to add and remove email addresses. - Allow users to verify email addresses. - Allow users to change their primary email address. - Convert all the registration/reset/login code to understand these changes. - There are a few security considerations here but I think I've addressed them. Principally, it is important to never let a user acquire a verified email address they don't actually own. We ensure this by tightening the scoping of token generation rules to be (user, email) specific. - This should have essentially zero impact on Facebook, but may require some minor changes in the registration code -- I don't exactly remember how it is set up. Not included here (next steps): - Allow configuration to restrict email to certain domains. - Allow configuration to require validated email. Test Plan: This is a fairly extensive, difficult-to-test change. - From "Email Addresses" interface: - Added new email (verified email verifications sent). - Changed primary email (verified old/new notificactions sent). - Resent verification emails (verified they sent). - Removed email. - Tried to add already-owned email. - Created new users with "accountadmin". Edited existing users with "accountadmin". - Created new users with "add_user.php". - Created new users with web interface. - Clicked welcome email link, verified it verified email. - Reset password. - Linked/unlinked oauth accounts. - Logged in with oauth account. - Logged in with email. - Registered with Oauth account. - Tried to register with OAuth account with duplicate email. - Verified errors for email verification with bad tokens, etc. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2393
2012-05-07 19:29:33 +02:00
$email_address = $request->getStr('email');
$email = id(new PhabricatorUserEmail())->loadOneWhere(
'address = %s',
$email_address);
if ($email) {
$valid_token = $user->validateEmailToken($email, $token);
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
$e_old = true;
$e_new = true;
$e_conf = true;
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$errors = array();
if ($request->isFormPost()) {
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
if (!$valid_token) {
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
$envelope = new PhutilOpaqueEnvelope($request->getStr('old_pw'));
if (!$user->comparePassword($envelope)) {
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$errors[] = 'The old password you entered is incorrect.';
$e_old = 'Invalid';
}
}
$pass = $request->getStr('new_pw');
$conf = $request->getStr('conf_pw');
if (strlen($pass) < $min_len) {
$errors[] = 'Your new password is too short.';
$e_new = 'Too Short';
}
if ($pass !== $conf) {
$errors[] = 'New password and confirmation do not match.';
$e_conf = 'Invalid';
}
if (!$errors) {
// This write is unguarded because the CSRF token has already
// been checked in the call to $request->isFormPost() and
// the CSRF token depends on the password hash, so when it
// is changed here the CSRF token check will fail.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
$envelope = new PhutilOpaqueEnvelope($pass);
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
id(new PhabricatorUserEditor())
->setActor($user)
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993
2012-07-17 21:06:33 +02:00
->changePassword($user, $envelope);
Consolidate user editing code Summary: - We currently have some bugs in account creation due to nontransactional user/email editing. - We save $user, then try to save $email. This may fail for various reasons, commonly because the email isn't unique. - This leaves us with a $user with no email. - Also, logging of edits is somewhat inconsistent across various edit mechanisms. - Move all editing to a `PhabricatorUserEditor` class. - Handle some broken-data cases more gracefully. Test Plan: - Created and edited a user with `accountadmin`. - Created a user with `add_user.php` - Created and edited a user with People editor. - Created a user with OAuth. - Edited user information via Settings. - Tried to create an OAuth user with a duplicate email address, got a proper error. - Tried to create a user via People with a duplicate email address, got a proper error. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: tberman, aran Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2569
2012-05-25 16:30:44 +02:00
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
unset($unguarded);
if ($valid_token) {
// If this is a password set/reset, kick the user to the home page
// after we update their account.
$next = '/';
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
} else {
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$next = '/settings/page/password/?saved=true';
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
return id(new AphrontRedirectResponse())->setURI($next);
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
}
}
$notice = null;
if (!$errors) {
if ($request->getStr('saved')) {
$notice = new AphrontErrorView();
$notice->setSeverity(AphrontErrorView::SEVERITY_NOTICE);
$notice->setTitle('Changes Saved');
$notice->appendChild('<p>Your password has been updated.</p>');
}
} else {
$notice = new AphrontErrorView();
$notice->setTitle('Error Changing Password');
$notice->setErrors($errors);
}
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
$len_caption = null;
if ($min_len) {
$len_caption = 'Minimum password length: '.$min_len.' characters.';
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$form = new AphrontFormView();
$form
->setUser($user)
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->addHiddenInput('token', $token);
if (!$valid_token) {
$form->appendChild(
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
id(new AphrontFormPasswordControl())
->setLabel('Old Password')
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setError($e_old)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('old_pw'));
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
}
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
$form
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('New Password')
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setError($e_new)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('new_pw'));
$form
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('Confirm Password')
Allow configuration of a minimum password length, unify password reset interfaces Summary: - We have a hard-coded minimum length of 3 right now (and 1 in the other interface), which is sort of silly. - Provide a more reasonable default, and allow it to be configured. - We have two password reset interfaces, one of which no longer actually requires you to verify you own the account. This is more than a bit derp. - Merge the interfaces into one, using either an email token or the account's current password to let you change the password. Test Plan: - Reset password on an account. - Changed password on an account. - Created a new account, logged in, set the password. - Tried to set a too-short password, got an error. Reviewers: btrahan, jungejason, nh Reviewed By: jungejason CC: aran, jungejason Maniphest Tasks: T766 Differential Revision: https://secure.phabricator.com/D1374
2012-01-12 05:26:38 +01:00
->setCaption($len_caption)
->setError($e_conf)
Add change password settings panel Summary: In password-based auth environments, there is now a user settings panel to allow them to change their password. Test Plan: Click settings, choose password from the left: * enter current password, new password (twice), log out, and log in with new password * enter current password, non-matching passwords, and get error * enter invalid old password, and get error * use firebug to change csrf token and verify that it does not save with and invalid token Changed config to disable password auth, loaded settings panel and saw that password was no longer visible. Tried loading the panel anyway and got redirected. Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: 890
2011-09-04 10:53:58 +02:00
->setName('conf_pw'));
$form
->appendChild(
id(new AphrontFormSubmitControl())
->setValue('Save'));
$panel = new AphrontPanelView();
$panel->setHeader('Change Password');
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
$panel->appendChild($form);
return id(new AphrontNullView())
->appendChild(
array(
$notice,
$panel,
));
}
}
Copy permalink