Wiki source code of Reset your password

Last modified by Administrator on 2011/11/06 20:09
Content · Comments (0) · Annotations (0) · Attachments (0) · History · Information
Hide line numbers
  1: {{velocity output="false"}}
  2: #**
  3: This page completes the password reset procedure. It works according to the next algorithm:
  4: 1. Verify that the correct verification URL is entered, by checking the 'u' and 'v' request parameters against the existing ResetPasswordRequest objects
  5: 2. Display a form requesting the new password
  6: 3. When receiving the new password via form submission, update the user object with the new password, and remove the ResetPasswordRequest object
  7: 
  8: URL parameters:
  9: 
 10: u = user account in the verification URL
 11: v = random verification string
 12: p = the new password
 13: p2 = the new password (for misspelling check)
 14: 
 15: !!!!! IMPORTANT !!!!!
 16: 
 17: This document requires programming rights, so always make sure
 18: it is saved by a user with programming rights, and that
 19: it is secured against unprivileged editing.
 20: 
 21: *###
 22: ##
 23: ##
 24: ## The name of the class used for storing password reset verification data.
 25: #set ($verifClass = 'XWiki.ResetPasswordRequestClass')
 26: ##
 27: ## START MACROS
 28: ##
 29: #**
 30:  * Encrypt a string to get the value that would be stored inside a PasswordProperty field.
 31:  * It is used to check if the unencrypted parameter from the URL is the value stored in the
 32:  * ResetPasswordRequest object.
 33:  * @param value The plaintext value to encrypt.
 34:  * @param result The encrypted output.
 35:  *#
 36: #macro(encrypt $value $result)
 37:   #set ($result = $xwiki.getClass($verifClass).getXWikiClass().get('verification').getPasswordHash($value))
 38: #end
 39: ##
 40: ##
 41: #**
 42:  * Verify that the request parameters are valid.
 43:  * @param userName The user name (full document name) received in the URL.
 44:  * @param validationString The unencrypted key that is stored in the ResetPasswordRequestClass object.
 45:  * @param result A boolean where the validation result is returned. True if the request is valid, false otherwise.
 46:  *#
 47: #macro(verifyRequest $userName $validationString $isValid)
 48:   #set ($isValid = false)
 49:   #if ($validationString != '' && $userName != '')
 50:     #encrypt($validationString $result)
 51:     #set ($encryptedValidationString = $result)
 52:     #if ("$!xwiki.getDocumentAsAuthor($userName).getObject($verifClass).getProperty('verification').getValue()" == $encryptedValidationString)
 53:       #set ($isValid = true)
 54:     #end
 55:   #end
 56: #end
 57: ##
 58: ##
 59: #**
 60:  * Displays the password reset form.
 61:  * @param message An optional message to display, for example if the sent password is empty.
 62:  * @param u The user account (full document name), which needs to be preserved.
 63:  * @param v The validation string, which will be checked again upon receiving the form.
 64:  *###
 65: #macro(displayForm $message $userName $validationString)
 66:   #if ($message != '')
 67: {{warning}}$message{{/warning}}
 68:   #end
 69: 
 70: {{html}}
 71:   <form action="$doc.getURL()" method="post" class="xform third" onsubmit="if($('p').value == '') {alert('$msg.get('xe.admin.passwordReset.step2.error.emptyPassword')'); return false;} else if($('p').value != $('p2').value) {alert('$msg.get('xe.admin.passwordReset.step2.error.verificationMismatch')'); return false; }">
 72:     <div class="hidden">
 73:       <input type="hidden" name="form_token" value="$!{services.csrf.getToken()}" />
 74:       <input type="hidden" name="u" value="$!escapetool.xml($userName)"/>
 75:       <input type="hidden" name="v" value="$!escapetool.xml($validationString)"/>
 76:     </div>
 77:     <dl>
 78:       <dt><label for="p">$msg.get('xe.admin.passwordReset.step2.newPassword.label')</label></dt>
 79:       <dd><input id="p" type="password" name="p" value="" size="20"/></dd>
 80:       <dt><label for="p2">$msg.get('xe.admin.passwordReset.step2.newPasswordVerification.label')</label></dt>
 81:       <dd><input id="p2" type="password" value="" name="p2" size="20"/></dd>
 82:     </dl>
 83:     <div class="buttons">
 84:       <span class="buttonwrapper"><input type="submit" value="$msg.get('xe.admin.passwordReset.step2.submit')" class="button"/></span>
 85:     </div>
 86:   </form>
 87: {{/html}}
 88: 
 89: #end
 90: ##
 91: ## END MACROS
 92: ##
 93: ##
 94: #set ($userName = "$!request.u")
 95: #set ($validationString = "$!request.v")
 96: #set ($password = "$!request.p")
 97: #set ($password2 = "$!request.p2")
 98: #verifyRequest($userName $validationString $isValid)
 99: {{/velocity}}
100: 
101: {{velocity}}
102: ##
103: ##
104: ## First, check if the page has programming rights, as nothing works otherwise
105: #if ($xwiki.hasProgrammingRights())
106: #if ($isValid)
107:   #set ($vuserDoc = $xwiki.getDocumentAsAuthor($userName))
108:   #if ($request.getParameterMap().containsKey('p'))## Second step, set the user password
109:     #if($password == '')
110:       #displayForm($msg.get('xe.admin.passwordReset.step2.error.emptyPassword') $userName $validationString)
111:     #elseif($password != $password2)
112:       #displayForm($msg.get('xe.admin.passwordReset.step2.error.verificationMismatch') $userName $validationString)
113:     #else
114:       $vuserDoc.getObject('XWiki.XWikiUsers').set('password', $password)
115:       #set($discard = $vuserDoc.removeObjects($verifClass))
116:       #set ($discard = $vuserDoc.saveAsAuthor($msg.get('xe.admin.passwordReset.step2.versionComment.passwordReset'), true))
117: {{info}}$msg.get('xe.admin.passwordReset.step2.success') [[$msg.get('xe.admin.passwordReset.step2.login')>>path:$xwiki.getURL('XWiki.XWikiLogin', 'login')]]{{/info}}
118: 
119:     #end
120:   #else## First step, request the user password
121:     ## The user might not complete this step, and leave the URL in the (public) browser's
122:     ## history. Prevent reusing the URL by invalidating the initial verification URL and only
123:     ## post the new string in the hidden form data.
124:     #set ($validationString = $util.generateRandomString(30))
125:     #set ($discard = $vuserDoc.getObject($verifClass).set('verification', $validationString))
126:     #set ($discard = $vuserDoc.saveAsAuthor($msg.get('xe.admin.passwordReset.step2.versionComment.changeValidationKey'), true))
127:     #displayForm('' $userName $validationString)
128:   #end
129: #else
130: 
131: {{error}}$msg.get('xe.admin.passwordReset.step2.error.wrongParameters') [[$msg.get('xe.admin.passwordReset.step2.backToStep1')>>ResetPassword]]{{/error}}
132: 
133: #end
134: ##
135: ## Clear private variables, so that they cannot be accessed from the rest of the page (comments, panels...)
136: #set ($validationString = '')
137: #set ($password = '')
138: #set ($password2 = '')
139: ##
140: ##
141: #else## No programming rights, warn and exit
142: 
143: {{error}}$msg.get('xe.admin.passwordReset.step2.error.noProgrammingRights'){{/error}}
144: 
145: #end
146: {{/velocity}}