General Actions:
Log-in
Register
Wiki:
games
▼
:
Document Index
»
Space:
XWiki
▼
:
Document Index
»
Page:
ResetPasswordComplete
Search
en
Page Actions:
Export
▼
:
Export as PDF
Export as RTF
Export as HTML
More actions
▼
:
Print preview
View Source
Wiki Home
»
Forgot your password?
»
Reset your password
Wiki source code of
Reset your password
Last modified by
Administrator
on 2011/11/06 20:09
Content
·
Comments
(0)
·
Annotations
(0)
·
Attachments
(0)
·
History
·
Information
Show line numbers
{{velocity output="false"}} #** This page completes the password reset procedure. It works according to the next algorithm: 1. Verify that the correct verification URL is entered, by checking the 'u' and 'v' request parameters against the existing ResetPasswordRequest objects 2. Display a form requesting the new password 3. When receiving the new password via form submission, update the user object with the new password, and remove the ResetPasswordRequest object URL parameters: u = user account in the verification URL v = random verification string p = the new password p2 = the new password (for misspelling check) !!!!! IMPORTANT !!!!! This document requires programming rights, so always make sure it is saved by a user with programming rights, and that it is secured against unprivileged editing. *### ## ## ## The name of the class used for storing password reset verification data. #set ($verifClass = 'XWiki.ResetPasswordRequestClass') ## ## START MACROS ## #** * Encrypt a string to get the value that would be stored inside a PasswordProperty field. * It is used to check if the unencrypted parameter from the URL is the value stored in the * ResetPasswordRequest object. * @param value The plaintext value to encrypt. * @param result The encrypted output. *# #macro(encrypt $value $result) #set ($result = $xwiki.getClass($verifClass).getXWikiClass().get('verification').getPasswordHash($value)) #end ## ## #** * Verify that the request parameters are valid. * @param userName The user name (full document name) received in the URL. * @param validationString The unencrypted key that is stored in the ResetPasswordRequestClass object. * @param result A boolean where the validation result is returned. True if the request is valid, false otherwise. *# #macro(verifyRequest $userName $validationString $isValid) #set ($isValid = false) #if ($validationString != '' && $userName != '') #encrypt($validationString $result) #set ($encryptedValidationString = $result) #if ("$!xwiki.getDocumentAsAuthor($userName).getObject($verifClass).getProperty('verification').getValue()" == $encryptedValidationString) #set ($isValid = true) #end #end #end ## ## #** * Displays the password reset form. * @param message An optional message to display, for example if the sent password is empty. * @param u The user account (full document name), which needs to be preserved. * @param v The validation string, which will be checked again upon receiving the form. *### #macro(displayForm $message $userName $validationString) #if ($message != '') {{warning}}$message{{/warning}} #end {{html}} <form action="$doc.getURL()" method="post" class="xform third" onsubmit="if($('p').value == '') {alert('$msg.get('xe.admin.passwordReset.step2.error.emptyPassword')'); return false;} else if($('p').value != $('p2').value) {alert('$msg.get('xe.admin.passwordReset.step2.error.verificationMismatch')'); return false; }"> <div class="hidden"> <input type="hidden" name="form_token" value="$!{services.csrf.getToken()}" /> <input type="hidden" name="u" value="$!escapetool.xml($userName)"/> <input type="hidden" name="v" value="$!escapetool.xml($validationString)"/> </div> <dl> <dt><label for="p">$msg.get('xe.admin.passwordReset.step2.newPassword.label')</label></dt> <dd><input id="p" type="password" name="p" value="" size="20"/></dd> <dt><label for="p2">$msg.get('xe.admin.passwordReset.step2.newPasswordVerification.label')</label></dt> <dd><input id="p2" type="password" value="" name="p2" size="20"/></dd> </dl> <div class="buttons"> <span class="buttonwrapper"><input type="submit" value="$msg.get('xe.admin.passwordReset.step2.submit')" class="button"/></span> </div> </form> {{/html}} #end ## ## END MACROS ## ## #set ($userName = "$!request.u") #set ($validationString = "$!request.v") #set ($password = "$!request.p") #set ($password2 = "$!request.p2") #verifyRequest($userName $validationString $isValid) {{/velocity}} {{velocity}} ## ## ## First, check if the page has programming rights, as nothing works otherwise #if ($xwiki.hasProgrammingRights()) #if ($isValid) #set ($vuserDoc = $xwiki.getDocumentAsAuthor($userName)) #if ($request.getParameterMap().containsKey('p'))## Second step, set the user password #if($password == '') #displayForm($msg.get('xe.admin.passwordReset.step2.error.emptyPassword') $userName $validationString) #elseif($password != $password2) #displayForm($msg.get('xe.admin.passwordReset.step2.error.verificationMismatch') $userName $validationString) #else $vuserDoc.getObject('XWiki.XWikiUsers').set('password', $password) #set($discard = $vuserDoc.removeObjects($verifClass)) #set ($discard = $vuserDoc.saveAsAuthor($msg.get('xe.admin.passwordReset.step2.versionComment.passwordReset'), true)) {{info}}$msg.get('xe.admin.passwordReset.step2.success') [[$msg.get('xe.admin.passwordReset.step2.login')>>path:$xwiki.getURL('XWiki.XWikiLogin', 'login')]]{{/info}} #end #else## First step, request the user password ## The user might not complete this step, and leave the URL in the (public) browser's ## history. Prevent reusing the URL by invalidating the initial verification URL and only ## post the new string in the hidden form data. #set ($validationString = $util.generateRandomString(30)) #set ($discard = $vuserDoc.getObject($verifClass).set('verification', $validationString)) #set ($discard = $vuserDoc.saveAsAuthor($msg.get('xe.admin.passwordReset.step2.versionComment.changeValidationKey'), true)) #displayForm('' $userName $validationString) #end #else {{error}}$msg.get('xe.admin.passwordReset.step2.error.wrongParameters') [[$msg.get('xe.admin.passwordReset.step2.backToStep1')>>ResetPassword]]{{/error}} #end ## ## Clear private variables, so that they cannot be accessed from the rest of the page (comments, panels...) #set ($validationString = '') #set ($password = '') #set ($password2 = '') ## ## #else## No programming rights, warn and exit {{error}}$msg.get('xe.admin.passwordReset.step2.error.noProgrammingRights'){{/error}} #end {{/velocity}}
