Skip to content

Commit

Permalink
feature #855 [reset-password] allow anyone to access check email (jru…
Browse files Browse the repository at this point in the history
…shlow)

This PR was squashed before being merged into the 1.0-dev branch.

Discussion
----------

[reset-password] allow anyone to access check email

fixes #808

- [x] Requires SymfonyCasts/reset-password-bundle#156

Commits
-------

8d9f452 [reset-password] allow anyone to access check email
  • Loading branch information
weaverryan committed Mar 31, 2021
2 parents 2c3009b + 8d9f452 commit 0065779
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 17 deletions.
13 changes: 5 additions & 8 deletions src/Maker/MakeResetPassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,11 @@
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Yaml\Yaml;
use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait;
use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestInterface;
use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordRequestTrait;
use SymfonyCasts\Bundle\ResetPassword\Model\ResetPasswordToken;
use SymfonyCasts\Bundle\ResetPassword\Persistence\Repository\ResetPasswordRequestRepositoryTrait;
use SymfonyCasts\Bundle\ResetPassword\Persistence\ResetPasswordRequestRepositoryInterface;
use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelper;
use SymfonyCasts\Bundle\ResetPassword\SymfonyCastsResetPasswordBundle;

/**
Expand Down Expand Up @@ -96,12 +95,10 @@ public function configureDependencies(DependencyBuilder $dependencies): void

$dependencies->addClassDependency(Annotation::class, 'annotations');

// reset-password-bundle 1.3 includes helpers to get/set a ResetPasswordToken object from the session.
// we need to check that version 1.3 is installed
if (class_exists(ResetPasswordToken::class)) {
if (!method_exists(ResetPasswordControllerTrait::class, 'getTokenObjectFromSession')) {
throw new RuntimeCommandException('Please upgrade symfonycasts/reset-password-bundle to version 1.3 or greater.');
}
// reset-password-bundle 1.6 includes the ability to generate a fake token.
// we need to check that version 1.6 is installed
if (class_exists(ResetPasswordHelper::class) && !method_exists(ResetPasswordHelper::class, 'generateFakeResetToken')) {
throw new RuntimeCommandException('Please run "composer upgrade symfonycasts/reset-password-bundle". Version 1.6 or greater of this bundle is required.');
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,10 @@ public function request(Request $request, MailerInterface $mailer): Response
<?php } ?>
public function checkEmail(): Response
{
// We prevent users from directly accessing this page
// Generate a fake token if the user does not exist or someone hit this page directly.
// This prevents exposing whether or not a user was found with the given email address or not
if (null === ($resetToken = $this->getTokenObjectFromSession())) {
return $this->redirectToRoute('app_forgot_password_request');
$resetToken = $this->resetPasswordHelper->generateFakeResetToken();
}

return $this->render('reset_password/check_email.html.twig', [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

{% block body %}
<p>
An email has been sent that contains a link that you can click to reset your password.
If an account matching your email exists, then an email was just sent that contains a link that you can use to reset your password.
This link will expire in {{ resetToken.expirationMessageKey|trans(resetToken.expirationMessageData, 'ResetPasswordBundle') }}.
</p>
<p>If you don't receive an email please check your spam folder or <a href="{{ path('app_forgot_password_request') }}">try again</a>.</p>
Expand Down
2 changes: 1 addition & 1 deletion src/Resources/skeleton/resetPassword/twig_request.tpl.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@

<button class="btn btn-primary">Send password reset email</button>
{{ form_end(requestForm) }}
{% endblock %}
{% endblock %}
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,23 @@ public function testResetRequestRoute()
$client = static::createClient();
$client->request('GET', '/reset-password');

$this->assertSame(200, $client->getResponse()->getStatusCode());
self::assertSame(200, $client->getResponse()->getStatusCode());
}

public function testResetRequestRouteDeniesInvalidToken()
{
$client = static::createClient();
$client->request('GET', '/reset-password/reset/badToken1234');

$this->assertSame(302, $client->getResponse()->getStatusCode());
self::assertSame(302, $client->getResponse()->getStatusCode());
}

public function testCheckEmailRouteRedirectsToRequestRouteIfUserNotAllowedToCheckEmail()
public function testCheckEmailPageIsAlwaysAccessible()
{
$client = static::createClient();
$client->request('GET', '/reset-password/check-email');

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertResponseRedirects('/reset-password');
self::assertResponseIsSuccessful();
self::assertPageTitleSame('Password Reset Email Sent');
}
}

0 comments on commit 0065779

Please sign in to comment.