Merge remote-tracking branch 'origin/10.3' into 11.x

src/Controller/AccountController.php

@@ -17,6 +17,7 @@
 
 use App\EventListener\AuthenticationLoginListener;
 use App\Form\LoginFormType;
+use App\Form\PasswordMaxLengthTrait;
 use App\Form\RegistrationFormHandler;
 use App\Form\RegistrationFormType;
 use App\Model\Customer;
@@ -47,6 +48,7 @@
  */
 class AccountController extends BaseController
 {
+    use PasswordMaxLengthTrait;
     /**
      * @Route("/account/login", name="account-login")
      *
@@ -150,6 +152,10 @@ public function registerAction(
             $customer->setActive(true);
 
             try {
+                if(!$hidePassword) {
+                    $this->checkPassword($form->getData()['password']);
+                }
+
                 $customer->save();
 
                 if ($form->getData()['newsletter']) {
@@ -331,24 +337,35 @@ public function resetPasswordAction(Request $request, PasswordRecoveryService $s
     {
         $token = $request->get('token');
         $customer = $service->getCustomerByToken($token);
-        if (!$customer) {
-            //TODO render error page
-            throw new NotFoundHttpException('Invalid token');
-        }
+        $error = null;
+        try {
+            if (!$customer) {
+                throw new NotFoundHttpException('Invalid token');
+            }
 
-        if ($request->isMethod(Request::METHOD_POST)) {
-            $newPassword = $request->get('password');
-            $service->setPassword($token, $newPassword);
+            if ($request->isMethod(Request::METHOD_POST)) {
 
-            $this->addFlash('success', $translator->trans('account.password-reset-successful'));
+                $newPassword = $request->get('password');
 
-            return $this->redirectToRoute('account-login', ['no-referer-redirect' => true]);
+                $this->checkPassword($newPassword);
+
+                $service->setPassword($token, $newPassword);
+
+                $this->addFlash('success', $translator->trans('account.password-reset-successful'));
+
+                return $this->redirectToRoute('account-login', ['no-referer-redirect' => true]);
+
+            }
+
+        } catch (\Exception $exception) {
+            $error = $exception->getMessage();
         }
 
         return $this->render('account/reset_password.html.twig', [
             'hideBreadcrumbs' => true,
             'token' => $token,
-            'email' => $customer->getEmail()
+            'email' => $customer?->getEmail(),
+            'error' => $error
         ]);
     }
 }

src/Form/LoginFormType.php

@@ -36,6 +36,7 @@
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
 
 class LoginFormType extends AbstractType
 {
@@ -55,6 +56,9 @@ public function buildForm(FormBuilderInterface $builder, array $options)
                 'label' => 'user.password',
                 'label_attr' => [
                     'class' => 'sr-only'
+                ],
+                'attr' => [
+                    'maxlength' => PasswordHasherInterface::MAX_PASSWORD_LENGTH
                 ]
             ])
             ->add('_target_path', HiddenType::class)

src/Form/PasswordMaxLengthTrait.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ * @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ * @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+
+namespace App\Form;
+
+use Pimcore\Model\Element\ValidationException;
+use Symfony\Component\PasswordHasher\Hasher\CheckPasswordLengthTrait;
+
+trait PasswordMaxLengthTrait
+{
+    use CheckPasswordLengthTrait;
+
+    /**
+     * @throws ValidationException
+     */
+    public function checkPassword(string $password): void
+    {
+        if ($this->isPasswordTooLong($password)) {
+            throw new ValidationException("Given password is too long.");
+        }
+    }
+}

src/Form/RegistrationFormType.php

@@ -38,6 +38,7 @@
 use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
 
 class RegistrationFormType extends AbstractType
 {
@@ -61,7 +62,10 @@ public function buildForm(FormBuilderInterface $builder, array $options)
             ]);
         if (!$options['hidePassword']) {
             $builder->add('password', PasswordType::class, [
-                'label' => 'general.password'
+                'label' => 'general.password',
+                'attr' => [
+                    'maxlength' => PasswordHasherInterface::MAX_PASSWORD_LENGTH
+                ]
             ]);
         }
 

templates/account/reset_password.html.twig

@@ -8,6 +8,11 @@
         <div class="form-signin mb-5">
 
             <form method="post">
+                {% if error %}
+                    <div class="alert alert-danger">
+                        {{ error | raw }}
+                    </div>
+                {% else %}
                 <h1 class="display-3 mb-3 font-weight-normal">{{ 'account.password-recovery' | trans }}</h1>
 
                 <p>{{ 'account.password-recovery-text' | trans([email]) }}</p>
@@ -17,6 +22,7 @@
                 <div class="form-group">
                     <button type="submit" id="_submit" name="_submit" class="btn-success btn-lg btn-block mt-4 btn">{{ 'account.set-password' | trans }}</button>
                 </div>
+                {% endif %}
 
             </form>