diff options
Diffstat (limited to 'plugins/Login/PasswordResetter.php')
-rw-r--r-- | plugins/Login/PasswordResetter.php | 48 |
1 files changed, 29 insertions, 19 deletions
diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php index e9ce0d75f6..9c706440f9 100644 --- a/plugins/Login/PasswordResetter.php +++ b/plugins/Login/PasswordResetter.php @@ -191,20 +191,7 @@ class PasswordResetter } } - /** - * Confirms a password reset. This should be called after {@link initiatePasswordResetProcess()} - * is called. - * - * This method will get the new password associated with a reset token and set it - * as the specified user's password. - * - * @param string $login The login of the user whose password is being reset. - * @param string $resetToken The generated string token contained in the reset password - * email. - * @throws Exception If there is no user with login '$login', if $resetToken is not a - * valid token or if the token has expired. - */ - public function confirmNewPassword($login, $resetToken) + public function checkValidConfirmPasswordToken($login, $resetToken) { // get password reset info & user info $user = self::getUserInformation($login); @@ -224,15 +211,32 @@ class PasswordResetter // check that the stored password hash is valid (sanity check) $resetPassword = $resetInfo['hash']; + $this->checkPasswordHash($resetPassword); - // reset password of user - $usersManager = $this->usersManagerApi; - Access::doAsSuperUser(function () use ($usersManager, $user, $resetPassword) { + return $resetPassword; + } + + /** + * Confirms a password reset. This should be called after {@link initiatePasswordResetProcess()} + * is called. + * + * This method will get the new password associated with a reset token and set it + * as the specified user's password. + * + * @param string $login The login of the user whose password is being reset. + * @param string $passwordHash The generated string token contained in the reset password + * email. + * @throws Exception If there is no user with login '$login', if $resetToken is not a + * valid token or if the token has expired. + */ + public function setHashedPasswordForLogin($login, $passwordHash) + { + Access::doAsSuperUser(function () use ($login, $passwordHash) { $userUpdater = new UserUpdater(); $userUpdater->updateUserWithoutCurrentPassword( - $user['login'], - $resetPassword, + $login, + $passwordHash, $email = false, $isPasswordHashed = true ); @@ -293,6 +297,12 @@ class PasswordResetter return $token; } + public function doesResetPasswordHashMatchesPassword($passwordPlain, $passwordHash) + { + $passwordPlain = UsersManager::getPasswordHash($passwordPlain); + return $this->passwordHelper->verify($passwordPlain, $passwordHash); + } + /** * Generates a hash using a hash "identifier" and some data to hash. The hash identifier is * a string that differentiates the hash in some way. |