Permalink
Browse files

Allow vetoing forgot password requests

  • Loading branch information...
1 parent d6b75ac commit 9afcf8f01ac6b5c3c054b9a49f1731d35aa868ed @chillu chillu committed Feb 24, 2014
Showing with 21 additions and 4 deletions.
  1. +21 −4 security/MemberLoginForm.php
@@ -1,6 +1,14 @@
<?php
/**
- * Log-in form for the "member" authentication method
+ * Log-in form for the "member" authentication method.
+ *
+ * Available extension points:
+ * - "authenticationFailed": Called when login was not successful.
+ * Arguments: $data containing the form submission
+ * - "forgotPassword": Called before forgot password logic kicks in,
+ * allowing extensions to "veto" execution by returning FALSE.
+ * Arguments: $member containing the detected Member record
+ *
* @package framework
* @subpackage security
*/
@@ -256,9 +264,12 @@ public function performLogin($data) {
/**
- * Forgot password form handler method
- *
- * This method is called when the user clicks on "I've lost my password"
+ * Forgot password form handler method.
+ * Called when the user clicks on "I've lost my password".
+ * Extensions can use the 'forgotPassword' method to veto executing
+ * the logic, by returning FALSE. In this case, the user will be redirected back
+ * to the form without further action. It is recommended to set a message
+ * in the form detailing why the action was denied.
*
* @param array $data Submitted data
*/
@@ -267,6 +278,12 @@ public function forgotPassword($data) {
$SQL_email = $SQL_data['Email'];
$member = DataObject::get_one('Member', "\"Email\" = '{$SQL_email}'");
+ // Allow vetoing forgot password requests
+ $results = $this->extend('forgotPassword', $member);
+ if($results && is_array($results) && in_array(false, $results, true)) {
+ return $this->controller->redirect('Security/lostpassword');
+ }
+
if($member) {
$token = $member->generateAutologinTokenAndStoreHash();

0 comments on commit 9afcf8f

Please sign in to comment.