ResetPassword skips userChangePassword

[yinsw]

PHPMaker v2024.10

I have custom validation in Change Password Page -> User_ChangePassword to check password rules, e.g. Must include one number, one capital letter, one symbol, etc.

If I use Reset Password function and click the link in the email received to reset password, it skips the validation. Is there any way that I can do custom validation for Reset Password change as well?

[arbei]

The ResetPassword page sends an email to users for them to go to the ChangePassword page themselves, users do not need to input new password in the ResetPassword page and hence no validation. When the user goes to the ChangePassword page and enters a new password, your User_ChangePassword server event will be called.

[yinsw]

Yes, that is correct, the link to the email will go to the ChangePassword page. For this ChangePassword page, it will only show "New Password" and "Confirm Password", "Old Password" will be hidden for when IsPasswordReset.

If you study the code in models\ChangePassword.php, it does not trigger User_ChangePassword is you're doing Change Password for Password Reset.

// snippets from ChangePassword.php

            if ($user) {
                if (IsPasswordReset() || ComparePassword($user->get(Config("LOGIN_PASSWORD_FIELD_NAME")), $this->OldPassword->CurrentValue)) {
                    $validPwd = true;
                    if (!IsPasswordReset()) {
                        $validPwd = $this->userChangePassword($user->toArray(), $userName, $this->OldPassword->CurrentValue, $this->NewPassword->CurrentValue);
                    }
                    if ($validPwd) {
                        $user->set(Config("LOGIN_PASSWORD_FIELD_NAME"), $this->NewPassword->CurrentValue); // Change Password
                        GetUserEntityManager()->flush();
                        $pwdUpdated = true;
                    } else {
                        $this->setFailureMessage($Language->phrase("InvalidNewPassword"));
                    }
                } else {
                    $this->setFailureMessage($Language->phrase("InvalidPassword"));
                }
            }
``

[mobhar]

I think that's normal, since the link is triggered from the link that sent via email after requesting reset password. Why must display old password anymore for such case? There should be only new password and new password confirmation textboxes on the form.

[yinsw]

Hi mobhar,

The design is correct for reset password. I didn't say it's incorrect :P Back to my issue, I'm saying that the ResetPassword does not trigger the User_ChangePassword where I do my custom validation. In User_ChangePassword, I do validation for password (must have capital letter, must have numbers, must have 1 symbol, etc). But if user do ResetPassword, that custom validation in User_ChangePassword() was skipped and user can simply key in 123 and it allows user to successfully change it.

[mobhar]

As we can see from the code above, the User_ChangePassword server event will not be triggered if the Change Password page came from Reset Password action. The main reason for this is because there is no old password input in that Change Password form.

In other words, that server event will be triggered only if end-user do the Change Password action after he/she successfully logged-in.

[yinsw]

If there any alternative solution or workaround that I can use if I want to do custom validation to the new password that user entered when Reset Password by using any of the event? That is because I want to do custom validation for password (must have at least 1 capital letter, must have at least 1 small letter, must have numbers, must include 1 symbol, etc). If possible I don't want to manually customize from the generated code.

[mobhar]

Why don't you use jQuery code and put it in Startup Script section of Change Password page?

[mobhar]

Alternatively, you may use Javascript/jQuery code, and put it in Form_CustomValidate under Client Scripts -> Other -> Change Password Page.