admin password reset implemented for #381

Author: alexweissman

public/index.php

@@ -141,6 +141,13 @@
         else
             return $controller->formUserView($user_id);
     });  
+
+    // User edit password form
+    $app->get('/forms/users/u/:user_id/password/?', function ($user_id) use ($app) {
+        $controller = new UF\UserController($app);
+        $get = $app->request->get();        
+        return $controller->formUserEditPassword($user_id);
+    });
 
     // User creation form
     $app->get('/forms/users/?', function () use ($app) {

public/js/userfrosting.js

@@ -77,11 +77,14 @@ jQuery.validator.setDefaults({
 });
 
 // Process a UserFrosting form, displaying messages from the message stream and executing specified callbacks
-function ufFormSubmit(formElement, validators, msgElement, successCallback, msgCallback) {
+function ufFormSubmit(formElement, validators, msgElement, successCallback, msgCallback, beforeSubmitCallback) {
     formElement.validate({
         rules:          validators['rules'],
         messages :      validators['messages'],
         submitHandler:  function (f, event) {
+            // Execute any "before submit" callback
+            if (typeof beforeSubmitCallback !== "undefined")
+                beforeSubmitCallback();        
             var form = $(f);
             // Set "loading" text for submit button, if it exists, and disable button
             var submit_button = form.find("button[type=submit]");
@@ -93,7 +96,7 @@ function ufFormSubmit(formElement, validators, msgElement, successCallback, msgC
             // Serialize and post to the backend script in ajax mode
             var serializedData = form.find('input, textarea, select').not(':checkbox').serialize();
             // Get unchecked checkbox values, set them to 0
-            form.find('input[type=checkbox]').each(function() {
+            form.find('input[type=checkbox]:enabled').each(function() {
                 if ($(this).is(':checked'))
                     serializedData += "&" + encodeURIComponent(this.name) + "=1";
                 else

public/js/widget-users.js

@@ -21,6 +21,12 @@ function bindUserTableButtons(table) {
         userForm('dialog-user-edit', user_id);
     });
 
+    $(table).find('.js-user-password').click(function() {
+        var btn = $(this);
+        var user_id = btn.data('id');
+        userPasswordForm('dialog-user-password', user_id);
+    });
+
     $(table).find('.js-user-activate').click(function() {
         var btn = $(this);
         var user_id = btn.data('id');
@@ -242,6 +248,72 @@ function userForm(box_id, user_id) {
 	});
 }
 
+/**
+ * Display a modal form for changing a user's password.
+ */
+function userPasswordForm(box_id, user_id) {	
+	user_id = typeof user_id !== 'undefined' ? user_id : "";
+	
+	// Delete any existing instance of the form with the same name
+	if($('#' + box_id).length ) {
+		$('#' + box_id).remove();
+	}
+    
+    var url = site['uri']['public'] + "/forms/users/u/" + user_id + "/password";
+    
+	// Fetch and render the form
+	$.ajax({  
+	  type: "GET",  
+	  url: url,
+	  data: {
+        box_id: box_id
+      },
+	  cache: false
+	})
+	.fail(function(result) {
+        // Display errors on failure
+        $('#userfrosting-alerts').flashAlerts().done(function() {
+        });
+	})
+	.done(function(result) {
+		// Append the form as a modal dialog to the body
+		$( "body" ).append(result);
+		$('#' + box_id).modal('show');
+		
+		// Enable/disable password fields when switch is toggled
+        $(".controls-password").find("input[type='password']").prop('disabled', true);
+        $('#' + box_id).find("input[name='change_password_mode']").click(function() {
+            var type = $(this).val();
+            if (type == "link") {
+                $(".controls-password").find("input[type='password']").prop('disabled', true);
+                $('#' + box_id).find("input[name='flag_password_reset']").prop('disabled', false);
+            } else {
+                $(".controls-password").find("input[type='password']").prop('disabled', false);
+                $('#' + box_id).find("input[name='flag_password_reset']").prop('disabled', true);
+            }
+        });
+		
+		// Link submission buttons
+        ufFormSubmit(
+            $('#' + box_id).find("form"),
+            validators,
+            $("#form-alerts"),
+            function(data, statusText, jqXHR) {
+                // Reload the page on success
+                window.location.reload(true);   
+            },
+            function() {
+                // Enable radio buttons after submit
+                $('#' + box_id).find("input[name='change_password_mode']").prop('disabled', false);
+            },
+            function() {
+                // Disable radio buttons before submit
+                $('#' + box_id).find("input[name='change_password_mode']").prop('disabled', true);
+            }
+        );	
+	});
+}
+
 // Display user info in a panel
 function userDisplay(box_id, user_id) {
 	user_id = typeof user_id !== 'undefined' ? user_id : "";

userfrosting/controllers/AccountController.php

@@ -916,7 +916,7 @@ public function accountSettings(){
             $this->_app->halt(400);
         }    
 
-        // If a new password was specified, hash it
+        // If a new password was specified, hash it.
         if (isset($data['password']))
             $data['password'] = Authentication::hashPassword($data['password']);
 

userfrosting/controllers/UserController.php

@@ -345,6 +345,47 @@ public function formUserEdit($user_id){
         ]);   
     }    
 
+    /**
+     * Renders the form for editing a user's password.
+     *
+     * This does NOT render a complete page.  Instead, it renders the HTML for the form, which can be embedded in other pages.
+     * This page requires authentication.
+     * Request type: GET
+     */  
+    public function formUserEditPassword($user_id){
+        // Get the user to edit
+        $target_user = User::find($user_id);
+        
+        // Access-controlled resource
+        if (!$this->_app->user->checkAccess('uri_users') && !$this->_app->user->checkAccess('uri_group_users', ['primary_group_id' => $target_user->primary_group_id])){
+            $this->_app->notFound();
+        }
+        
+        $get = $this->_app->request->get();
+        
+         // Determine authorized fields
+        $hidden_fields = [];
+
+        if (!$this->_app->user->checkAccess("update_account_setting", ["user" => $target_user, "property" => 'password']))
+            $hidden_fields[] = 'password';
+                
+        // Load validator rules
+        $schema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-update.json");
+        $this->_app->jsValidator->setSchema($schema);  
+        
+        // This form posts to the same resource as "update user"
+        $this->_app->render("components/common/user-set-password.twig", [
+            "box_id" => isset($get['box_id']) ? $get['box_id'] : 'user-set-password',
+            "box_title" => "Change User Password",
+            "form_action" => $this->_app->site->uri['public'] . "/users/u/$user_id",
+            "target_user" => $target_user,
+            "fields" => [
+                "hidden" => $hidden_fields
+            ],
+            "validators" => $this->_app->jsValidator->rules()
+        ]);   
+    }    
+    
     /** 
      * Processes the request to create a new user (from the admin controls).
      * 
@@ -497,7 +538,7 @@ public function updateUser($user_id){
         $ms = $this->_app->alerts; 
 
         // Get the target user
-        $target_user = UserLoader::fetch($user_id);
+        $target_user = User::find($user_id);
 
         // Get the target user's groups
         $groups = $target_user->getGroups();
@@ -515,10 +556,17 @@ public function updateUser($user_id){
             $ms->addMessageTranslated("danger", "ACCESS_DENIED");
             $this->_app->halt(403);
         }
-                       
+        
         // Remove csrf_token
         unset($post['csrf_token']);
-                                
+        
+        // Set up Fortress to process the request
+        $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);          
+        
+        if (isset($post['passwordc'])){
+            unset($post['passwordc']);        
+        }
+           
         // Check authorization for submitted fields, if the value has been changed
         foreach ($post as $name => $value) {
             if ($name == "groups" || (isset($target_user->$name) && $post[$name] != $target_user->$name)){
@@ -532,29 +580,30 @@ public function updateUser($user_id){
                 $this->_app->halt(400);
             }
         }
-
+        
         // Check that we are not disabling the master account
         if (($target_user->id == $this->_app->config('user_id_master')) && isset($post['flag_enabled']) && $post['flag_enabled'] == "0"){
             $ms->addMessageTranslated("danger", "ACCOUNT_DISABLE_MASTER");
             $this->_app->halt(403);
         }
-
+        
+        // Check that the email address is not in use
         if (isset($post['email']) && $post['email'] != $target_user->email && UserLoader::exists($post['email'], 'email')){
             $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $post);
             $this->_app->halt(400);
         }
 
-        // Set up Fortress to process the request
-        $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);                    
-    
         // Sanitize
         $rf->sanitize();
 
         // Validate, and halt on validation errors.
         if (!$rf->validate()) {
             $this->_app->halt(400);
         }   
-               
+        
+        // Remove passwordc
+        $rf->removeFields(['passwordc']);
+           
         // Get the filtered data
         $data = $rf->data();
 
@@ -570,6 +619,11 @@ public function updateUser($user_id){
             unset($data['groups']);
         }
 
+        // Hash password
+        if (isset($data['password'])){
+            $data['password'] = Authentication::hashPassword($data['password']);
+        }
+        
         // Update the user and generate success messages
         foreach ($data as $name => $value){
             if ($value != $target_user->$name){
@@ -587,9 +641,39 @@ public function updateUser($user_id){
             }
         }
 
-        $ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]);
-        $target_user->store();        
+        // If we're generating a password reset, create the corresponding event and shoot off an email
+        if (isset($data['flag_password_reset']) && ($data['flag_password_reset'] == "1")){
+            // Recheck auth
+            if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => 'flag_password_reset'])){
+                $ms->addMessageTranslated("danger", "ACCESS_DENIED");
+                $this->_app->halt(403);
+            }
+            // New password reset event - bypass any rate limiting
+            $target_user->newEventPasswordReset();
+            $target_user->save();
+            // Email the user asking to confirm this change password request
+            $twig = $this->_app->view()->getEnvironment();
+            $template = $twig->loadTemplate("mail/password-reset.twig");        
+            $notification = new Notification($template);
+            $notification->fromWebsite();      // Automatically sets sender and reply-to
+            $notification->addEmailRecipient($target_user->email, $target_user->display_name, [
+                "user" => $target_user,
+                "request_date" => date("Y-m-d H:i:s")
+            ]);
+            
+            try {
+                $notification->send();
+            } catch (\Exception\phpmailerException $e){
+                $ms->addMessageTranslated("danger", "MAIL_ERROR");
+                error_log('Mailer Error: ' . $e->errorMessage());
+                $this->_app->halt(500);
+            }
+            
+            $ms->addMessageTranslated("success", "FORGOTPASS_REQUEST_SENT", ["user_name" => $target_user->user_name]);
+        }
 
+        $ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]);
+        $target_user->save();        
     }
 
     /** 

userfrosting/locale/en_US.php

@@ -123,13 +123,13 @@
 
 // Forgot Password
 $lang = array_merge($lang,array(
-	"FORGOTPASS_INVALID_TOKEN" => "Your activation token is not valid",
+	"FORGOTPASS_INVALID_TOKEN" => "Your secret token is not valid",
 	"FORGOTPASS_OLD_TOKEN" => "Token past expiration time",
 	"FORGOTPASS_COULD_NOT_UPDATE" => "Couldn't update password",
-	"FORGOTPASS_NEW_PASS_EMAIL" => "We have emailed you a new password",
 	"FORGOTPASS_REQUEST_CANNED" => "Lost password request cancelled",
 	"FORGOTPASS_REQUEST_EXISTS" => "There is already an outstanding lost password request on this account",
-	"FORGOTPASS_REQUEST_SUCCESS" => "We have emailed you instructions on how to regain access to your account"
+	"FORGOTPASS_REQUEST_SENT" => "A password reset link has been emailed to the address on file for user '{{user_name}}'",     
+	"FORGOTPASS_REQUEST_SUCCESS" => "We have emailed you instructions on how to regain access to your account"   
 ));
 
 // Mail

userfrosting/schema/forms/user-update.json

@@ -46,6 +46,34 @@
                 "message" : "VALIDATE_INTEGER"
             }
         }
+    },
+    "password" : {
+        "validators" : {
+            "length" : {
+                "min" : 8,
+                "max" : 50,
+                "message" : "ACCOUNT_PASS_CHAR_LIMIT"
+            }
+        },
+        "sanitizers" : {
+            "raw" : {}
+        }    
+    },
+    "passwordc" : {
+        "validators" : {
+            "matches" : {
+                "field" : "password",
+                "message" : "ACCOUNT_PASS_MISMATCH"
+            },
+            "length" : {
+                "min" : 8,
+                "max" : 50,
+                "message" : "ACCOUNT_PASS_CHAR_LIMIT"
+            }
+        },
+        "sanitizers" : {
+            "raw" : {}
+        }    
     },    
     "groups" : {
         "validators" : {
@@ -73,5 +101,15 @@
                 "message" : "VALIDATE_BOOLEAN" 
             }
         }
-    }
+    },
+    "flag_password_reset" : {
+        "validators" : {
+            "member_of" : {
+                "values" : [
+                    "0", "1"
+                ],
+                "message" : "VALIDATE_BOOLEAN" 
+            }
+        }
+    }    
 }

userfrosting/templates/themes/default/components/common/js-snippets/user-table-columns.twig

@@ -72,6 +72,11 @@
                     <i class="fa fa-edit"></i> Edit user
                     </a>
                 </li>
+                <li>
+                    <a href="#" data-id="{{user.id}}" class="js-user-password" data-target="#dialog-user-password" data-toggle="modal">
+                    <i class="fa fa-key"></i> Change password
+                    </a>
+                </li>
                 <li>
                 {{#ifCond user.flag_enabled 1 }}
                     <a href="#" data-id="{{user.id}}" class="js-user-disable">