Refactored the UserController and UserType. Added secure password change…

Refactored the UserController and UserType. Added secure password change (requires now current password to work).

src/Jity/HomepageBundle/Controller/DefaultController.php

@@ -89,9 +89,18 @@ class DefaultController extends Controller
      */
     public function overallProcessAction()
     {
-        $this->get('session')->getFlashBag()->add('error',
-            'Achtung, diese Seite befindet sich zur Zeit noch in der Entwicklung.'
-        );
+        // Try to get showDevelWarning flag from session
+        $develWarningFlag = $this->get('session')->get('develWarningFlag');
+
+        // If we found not flag, print our warning
+        if (empty($develWarningFlag)) {
+            
+            $this->get('session')->getFlashBag()->add('error',
+                'Achtung, diese Seite befindet sich zur Zeit noch in der Entwicklung.'
+            );
+
+            $this->get('session')->set('develWarningFlag', true);
+        }
 
         return new Response();
     }
@@ -105,10 +114,6 @@ class DefaultController extends Controller
      */
     public function showPageAction($slug)
     {
-        // $this->get('session')->getFlashBag()->add('notice', 'Diese Seite befindet sich aktuell in der Entwicklung.');
-        // $this->get('session')->getFlashBag()->add('success', 'Diese Seite befindet sich aktuell in der Entwicklung.');
-        // $this->get('session')->getFlashBag()->add('error', 'Diese Seite befindet sich aktuell in der Entwicklung.');
-
         // Get Entity Manager
         $em = $this->getDoctrine()->getEntityManager();
 

src/Jity/HomepageBundle/Controller/UserController.php

@@ -46,39 +46,20 @@ class UserController extends Controller
 
         $em = $this->getDoctrine()->getEntityManager();
 
+        // Try to find a valid user object
         $entity = $this->container->get('security.context')->getToken()->getUser();
 
         if (!$entity) {
             throw $this->createNotFoundException('Unable to find User entity.');
         }
 
-        $editForm = $this->createForm(new UserType(), $entity, array(
+        // Generate the dynamic form
+        $editForm = $this->createForm(new UserType($mode), $entity, array(
 
             // Validate '$mode' Group
-            'validation_groups' => array($mode)
+            'validation_groups' => array($mode),
         ));
 
-        if ('profile' == $mode) {
-
-            // We dont want to modify the Email and Password here
-            $editForm->remove('email');
-            $editForm->remove('password');
-            $editForm->remove('password_control');
-
-        } elseif ('email' == $mode) {
-
-            $editForm->remove('password');
-            $editForm->remove('password_control');
-            $editForm->remove('firstName');
-            $editForm->remove('lastName');
-
-        } elseif ('password' == $mode) {
-
-            $editForm->remove('email');
-            $editForm->remove('firstName');
-            $editForm->remove('lastName');
-        }
-
         return $this->render('JityHomepageBundle:User:edit.html.twig', array(
             'entity'    => $entity,
             'mode'      => $mode,
@@ -103,50 +84,52 @@ class UserController extends Controller
             return $this->redirect($this->generateUrl('user_dashboard'));
         }
 
-        $em = $this->getDoctrine()->getEntityManager();
-
+        // Try to find a valid user object
         $entity = $this->container->get('security.context')->getToken()->getUser();
 
         if (!$entity) {
             throw $this->createNotFoundException('Unable to find User entity.');
         }
 
-        $editForm = $this->createForm(new UserType(), $entity, array(
+        // Save current user for validation
+        $currentUser = clone $entity;
+
+        // Generate the dynamic form
+        $editForm = $this->createForm(new UserType($mode), $entity, array(
 
             // Validate '$mode' Group
             'validation_groups' => array($mode)
         ));
 
-        if ('profile' == $mode) {
+        $editForm->bind($this->getRequest());
 
-            $editForm->remove('email');
-            $editForm->remove('password');
-            $editForm->remove('password_control');
+        if ($editForm->isValid()) {
 
-        } elseif ('email' == $mode) {
+            $em = $this->getDoctrine()->getEntityManager();
 
-            $editForm->remove('password');
-            $editForm->remove('password_control');
-            $editForm->remove('firstName');
-            $editForm->remove('lastName');
+            if ('password' == $mode) {
 
-        } elseif ('password' == $mode) {
+                // Check the old password field to secure the
+                // password change. At this point the two new
+                // passwords are equal. (Checked by form)
 
-            $editForm->remove('email');
-            $editForm->remove('firstName');
-            $editForm->remove('lastName');
-        }
+                // Get Password Encoder (definded in app/config/security.yml)
+                $encoder = $this->get('security.encoder_factory')->getEncoder($entity);
 
-        $request = $this->getRequest();
+                // Get current password from form (password_old)
+                $currentPassword = $editForm->get('password_old')->getData();
 
-        $editForm->bind($request);
+                // Hash the current password for validation
+                $currentHash = $encoder->encodePassword($currentPassword, $currentUser->getSalt());
 
-        if ($editForm->isValid()) {
+                // Reject the request and redirect to form
+                if ($currentHash !== $currentUser->getPassword()) {
+                    
+                    // Write flash message and redirect back
+                    $this->get('session')->getFlashBag()->add('error', 'Das alte Password stimmt nicht mit ihrem aktuellen überein.');
 
-            if ('password' == $mode) {
-
-                // Get Password Encoder (definded in app/config/security.yml)
-                $encoder = $this->get('security.encoder_factory')->getEncoder($entity);
+                    return $this->redirect($this->generateUrl('user_edit', array('mode' => 'password')));
+                }
 
                 // Regenerate Salt
                 $entity->setSalt();
@@ -156,9 +139,13 @@ class UserController extends Controller
                 $entity->setPassword($password);
             }
 
+            // Write current changes
             $em->persist($entity);
             $em->flush();
 
+            // Write flash message and redirect back
+            $this->get('session')->getFlashBag()->add('success', 'Ihr Password wurde erfolgreich geändert.');
+
             return $this->redirect($this->generateUrl('user_dashboard'));
         }
 

src/Jity/HomepageBundle/Form/UserType.php

@@ -15,6 +15,39 @@ use Symfony\Component\OptionsResolver\OptionsResolverInterface;
  */
 class UserType extends AbstractType
 {
+    const MODE_CHANGE_PASSWORD = 1;
+    const MODE_CHANGE_PROFILE  = 2;
+    const MODE_CHANGE_EMAIL    = 4;
+    
+    private $mode;
+
+    /**
+     * __construct 
+     * 
+     * @param mixed $mode 
+     * @access public
+     * @return void
+     */
+    public function __construct($mode)
+    {
+        // Find the correct UserType mode for our view mode
+        // This is needed for the dynamic generation of the form
+        if ('profile' == $mode) {
+
+            $mode = UserType::MODE_CHANGE_PROFILE;
+
+        } elseif ('email' == $mode) {
+
+            $mode = UserType::MODE_CHANGE_EMAIL;
+
+        } elseif ('password' == $mode) {
+
+            $mode = UserType::MODE_CHANGE_PASSWORD;
+        }
+
+        $this->mode = $mode;
+    }
+
     /**
      * buildForm 
      * 
@@ -25,16 +58,46 @@ class UserType extends AbstractType
      */
     public function buildForm(FormBuilderInterface $builder, array $options)
     {
-        $builder->add('firstName', null, array('label' => 'Vorname'));
-        $builder->add('lastName', null, array('label' => 'Nachname'));
-        $builder->add('email', 'email', array('label' => 'Email Adresse'));
-        $builder->add('password', 'repeated', array(
-            'type' => 'password',
-            'invalid_message' => 'Die angegebenen Passwörten stimmen nicht überein.',
-            'options' => array('label' => 'Passwort'),
-            'first_options' => array('label' => 'Passwort'),
-            'second_options' => array('label' => 'Passwort Wiederholung'),
-        ));
+        // Add the specific field on the matching modes
+        if (self::MODE_CHANGE_PROFILE & ($this->mode)) {
+
+            $builder->add('firstName', null, array(
+                'label' => 'Vorname'
+            ));
+
+            $builder->add('lastName', null, array(
+                'label' => 'Nachname'
+            ));
+        }
+
+        if (self::MODE_CHANGE_EMAIL & ($this->mode)) {
+
+            $builder->add('email', 'email', array(
+                'label' => 'Email Adresse'
+            ));
+        }
+
+        if (self::MODE_CHANGE_PASSWORD & ($this->mode)) {
+
+            $builder->add('password_old', 'password', array(
+                'property_path' => false,
+                'label' => 'Altes Passwort'
+            ));
+
+            $builder->add('password', 'repeated', array(
+                'type' => 'password',
+                'invalid_message' => 'Die angegebenen Passwörten stimmen nicht überein.',
+                'options' => array(
+                    'label' => 'Neues Passwort'
+                ),
+                'first_options' => array(
+                    'label' => 'Neues Passwort'
+                ),
+                'second_options' => array(
+                    'label' => 'Wiederholung des neuen Passwort'
+                ),
+            ));
+        }
     }
 
     /**