diff options
| author | Julius Haertl <jus@bitgrid.net> | 2016-05-19 13:23:12 +0200 |
|---|---|---|
| committer | Julius Haertl <jus@bitgrid.net> | 2016-05-23 16:48:10 +0200 |
| commit | 8ee2cb47d09fbcf7c188d48ab6c840fbffbade95 (patch) | |
| tree | 90f3d63b924954759cb246cb9f4d86ffaaefb76f /core | |
| parent | c10d8a37f70ecdfeea49b646cd2af96e12895c52 (diff) | |
| download | nextcloud-server-8ee2cb47d09fbcf7c188d48ab6c840fbffbade95.tar.gz nextcloud-server-8ee2cb47d09fbcf7c188d48ab6c840fbffbade95.zip | |
Show error messages if a password reset link is invalid or expired
- Moved token validation to method checkPasswordResetToken
- Render error with message from exceptions
Diffstat (limited to 'core')
| -rw-r--r-- | core/Controller/LostController.php | 50 |
1 files changed, 35 insertions, 15 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 0e0932b288b..61e29495608 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -121,6 +121,17 @@ class LostController extends Controller { * @return TemplateResponse */ public function resetform($token, $userId) { + try { + $this->checkPasswordResetToken($token, $userId); + } catch (\Exception $e) { + return new TemplateResponse( + 'core', 'error', [ + "errors" => array(array("error" => $e->getMessage())) + ], + 'guest' + ); + } + return new TemplateResponse( 'core', 'lostpassword/resetpassword', @@ -132,6 +143,29 @@ class LostController extends Controller { } /** + * @param string $userId + * @param string $userId + * @throws \Exception + */ + private function checkPasswordResetToken($token, $userId) { + $user = $this->userManager->get($userId); + + $splittedToken = explode(':', $this->config->getUserValue($userId, 'owncloud', 'lostpassword', null)); + if(count($splittedToken) !== 2) { + throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); + } + + if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*12) || + $user->getLastLogin() > $splittedToken[0]) { + throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired')); + } + + if (!StringUtils::equals($splittedToken[1], $token)) { + throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); + } + } + + /** * @param $message * @param array $additional * @return array @@ -178,22 +212,9 @@ class LostController extends Controller { } try { + $this->checkPasswordResetToken($token, $userId); $user = $this->userManager->get($userId); - $splittedToken = explode(':', $this->config->getUserValue($userId, 'owncloud', 'lostpassword', null)); - if(count($splittedToken) !== 2) { - throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); - } - - if ($splittedToken[0] < ($this->timeFactory->getTime() - 60*60*12) || - $user->getLastLogin() > $splittedToken[0]) { - throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired')); - } - - if (!StringUtils::equals($splittedToken[1], $token)) { - throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); - } - if (!$user->setPassword($password)) { throw new \Exception(); } @@ -202,7 +223,6 @@ class LostController extends Controller { $this->config->deleteUserValue($userId, 'owncloud', 'lostpassword'); @\OC_User::unsetMagicInCookie(); - } catch (\Exception $e){ return $this->error($e->getMessage()); } |