diff options
Diffstat (limited to 'application/front/controller/admin/PasswordController.php')
-rw-r--r-- | application/front/controller/admin/PasswordController.php | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/application/front/controller/admin/PasswordController.php b/application/front/controller/admin/PasswordController.php new file mode 100644 index 00000000..6e8f0bcb --- /dev/null +++ b/application/front/controller/admin/PasswordController.php | |||
@@ -0,0 +1,100 @@ | |||
1 | <?php | ||
2 | |||
3 | declare(strict_types=1); | ||
4 | |||
5 | namespace Shaarli\Front\Controller\Admin; | ||
6 | |||
7 | use Shaarli\Container\ShaarliContainer; | ||
8 | use Shaarli\Front\Exception\OpenShaarliPasswordException; | ||
9 | use Shaarli\Front\Exception\ShaarliFrontException; | ||
10 | use Slim\Http\Request; | ||
11 | use Slim\Http\Response; | ||
12 | use Throwable; | ||
13 | |||
14 | /** | ||
15 | * Class PasswordController | ||
16 | * | ||
17 | * Slim controller used to handle passwords update. | ||
18 | */ | ||
19 | class PasswordController extends ShaarliAdminController | ||
20 | { | ||
21 | public function __construct(ShaarliContainer $container) | ||
22 | { | ||
23 | parent::__construct($container); | ||
24 | |||
25 | $this->assignView( | ||
26 | 'pagetitle', | ||
27 | t('Change password') .' - '. $this->container->conf->get('general.title', 'Shaarli') | ||
28 | ); | ||
29 | } | ||
30 | |||
31 | /** | ||
32 | * GET /password - Displays the change password template | ||
33 | */ | ||
34 | public function index(Request $request, Response $response): Response | ||
35 | { | ||
36 | return $response->write($this->render('changepassword')); | ||
37 | } | ||
38 | |||
39 | /** | ||
40 | * POST /password - Change admin password - existing and new passwords need to be provided. | ||
41 | */ | ||
42 | public function change(Request $request, Response $response): Response | ||
43 | { | ||
44 | $this->checkToken($request); | ||
45 | |||
46 | if ($this->container->conf->get('security.open_shaarli', false)) { | ||
47 | throw new OpenShaarliPasswordException(); | ||
48 | } | ||
49 | |||
50 | $oldPassword = $request->getParam('oldpassword'); | ||
51 | $newPassword = $request->getParam('setpassword'); | ||
52 | |||
53 | if (empty($newPassword) || empty($oldPassword)) { | ||
54 | $this->saveErrorMessage(t('You must provide the current and new password to change it.')); | ||
55 | |||
56 | return $response | ||
57 | ->withStatus(400) | ||
58 | ->write($this->render('changepassword')) | ||
59 | ; | ||
60 | } | ||
61 | |||
62 | // Make sure old password is correct. | ||
63 | $oldHash = sha1( | ||
64 | $oldPassword . | ||
65 | $this->container->conf->get('credentials.login') . | ||
66 | $this->container->conf->get('credentials.salt') | ||
67 | ); | ||
68 | |||
69 | if ($oldHash !== $this->container->conf->get('credentials.hash')) { | ||
70 | $this->saveErrorMessage(t('The old password is not correct.')); | ||
71 | |||
72 | return $response | ||
73 | ->withStatus(400) | ||
74 | ->write($this->render('changepassword')) | ||
75 | ; | ||
76 | } | ||
77 | |||
78 | // Save new password | ||
79 | // Salt renders rainbow-tables attacks useless. | ||
80 | $this->container->conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand())); | ||
81 | $this->container->conf->set( | ||
82 | 'credentials.hash', | ||
83 | sha1( | ||
84 | $newPassword | ||
85 | . $this->container->conf->get('credentials.login') | ||
86 | . $this->container->conf->get('credentials.salt') | ||
87 | ) | ||
88 | ); | ||
89 | |||
90 | try { | ||
91 | $this->container->conf->write($this->container->loginManager->isLoggedIn()); | ||
92 | } catch (Throwable $e) { | ||
93 | throw new ShaarliFrontException($e->getMessage(), 500, $e); | ||
94 | } | ||
95 | |||
96 | $this->saveSuccessMessage(t('Your password has been changed')); | ||
97 | |||
98 | return $response->write($this->render('changepassword')); | ||
99 | } | ||
100 | } | ||