Skip to content

Commit

Permalink
Pull request #602 (yiisoft/demo#602)
Browse files Browse the repository at this point in the history 
If a user (normally an administrator) has the permission 'changePasswordForAnyUser', the login form 'username' text box will be not readonly so that the administrator can change any username's password in the event of a user's personal request to change their password by typing in their username.
  • Loading branch information
@rossaddison
rossaddison committed May 6, 2024
1 parent f290c57 commit 2ff06e9
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 36 deletions.
10 changes: 9 additions & 1 deletion resources/rbac/items.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
'viewPayment',
'editPayment',
'editUser',
'editClientPeppol'
'editClientPeppol',
'canChangePasswordForAnyUser'
],
],

Expand Down Expand Up @@ -91,4 +92,11 @@
'updatedAt' => 1599036348,
'createdAt' => 1599036348,
],

'changePasswordForAnyUser' => [
'name' => 'changePasswordForAnyUser',
'type' => 'permission',
'updatedAt' => 1599036348,
'createdAt' => 1599036348,
],
];
10 changes: 7 additions & 3 deletions resources/views/changepassword/change.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,14 @@
->csrf($csrf)
->id('changePasswordForm')
->open() ?>
<?= Field::text($formModel, 'login')->addInputAttributes(
<?= $changePasswordForAnyUser ? Field::text($formModel, 'login')->addInputAttributes(
[
'value'=> $login ?? '',
'readonly'=>'readonly'
'value' => $login ?? ''
]
) : Field::text($formModel, 'login')->addInputAttributes(
[
'value' => $login ?? '',
'readonly' => 'readonly'
]
); ?>
<?= Field::password($formModel, 'password') ?>
Expand Down
66 changes: 34 additions & 32 deletions src/Auth/Controller/ChangePasswordController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ public function __construct(
private Session $session,
private Flash $flash,
private Translator $translator,
private CurrentUser $current_user,
private CurrentUser $currentUser,
private WebControllerService $webService,
private ViewRenderer $viewRenderer,
)
{
$this->current_user = $current_user;
$this->currentUser = $currentUser;
$this->session = $session;
$this->flash = new Flash($session);
$this->translator = $translator;
Expand All @@ -47,36 +47,38 @@ public function change(
): ResponseInterface {
if ($authService->isGuest()) {
return $this->redirectToMain();
}
// permit an authenticated user, ie. not a guest, only and null!== current user
if (!$authService->isGuest()) {
if ($this->current_user->can('viewInv',[])) {
// readonly the login detail on the change form
$identity_id = $this->current_user->getIdentity()->getId();
if (null!==$identity_id) {
$identity = $identityRepository->findIdentity($identity_id);
if (null!==$identity) {
// Identity and User are in a HasOne relationship so no null value
$login = $identity->getUser()?->getLogin();
if ($request->getMethod() === Method::POST
&& $formHydrator->populate($changePasswordForm, $request->getParsedBody())
&& $changePasswordForm->change()
) {
// Identity implements CookieLoginIdentityInterface: ensure the regeneration of the cookie auth key by means of $authService->logout();
// @see vendor\yiisoft\user\src\Login\Cookie\CookieLoginIdentityInterface

// Specific note: "Make sure to invalidate earlier issued keys when you implement force user logout,
// PASSWORD CHANGE and other scenarios, that require forceful access revocation for old sessions.
// The authService logout function will regenerate the auth key here => overwriting any auth key
$authService->logout();
$this->flash_message('success', $this->translator->translate('validator.password.change'));
return $this->redirectToMain();
}
return $this->viewRenderer->render('change', ['formModel' => $changePasswordForm, 'login' => $login]);
} // identity
} // identity_id
} // current user
} // auth service
}

$identity_id = $this->currentUser->getIdentity()->getId();
if (null!==$identity_id) {
$identity = $identityRepository->findIdentity($identity_id);
if (null!==$identity) {
// Identity and User are in a HasOne relationship so no null value
$login = $identity->getUser()?->getLogin();
if ($request->getMethod() === Method::POST
&& $formHydrator->populate($changePasswordForm, $request->getParsedBody())
&& $changePasswordForm->change()
) {
// Identity implements CookieLoginIdentityInterface: ensure the regeneration of the cookie auth key by means of $authService->logout();
// @see vendor\yiisoft\user\src\Login\Cookie\CookieLoginIdentityInterface
// Specific note: "Make sure to invalidate earlier issued keys when you implement force user logout,
// PASSWORD CHANGE and other scenarios, that require forceful access revocation for old sessions.
// The authService logout function will regenerate the auth key here => overwriting any auth key
$authService->logout();
$this->flash_message('success', $this->translator->translate('validator.password.change'));
return $this->redirectToMain();
}
return $this->viewRenderer->render('change', [
'formModel' => $changePasswordForm,
'login' => $login,
/**
* @see resources\rbac\items.php
* @see https://github.com/yiisoft/demo/pull/602
*/
'changePasswordForAnyUser' => $this->currentUser->can('changePasswordForAnyUser')
]);
} // identity
} // identity_id
return $this->redirectToMain();
} // reset

Expand Down

0 comments on commit 2ff06e9

Please sign in to comment.