FIX mark a successful login attempt when completing a password reset (#…

…10100)
silverstripe · Mar 14, 2024 · 33305ab · 33305ab
1 parent 8f48e9b
commit 33305ab
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/src/Security/MemberAuthenticator/ChangePasswordHandler.php b/src/Security/MemberAuthenticator/ChangePasswordHandler.php
@@ -13,6 +13,7 @@
 use SilverStripe\ORM\ValidationException;
 use SilverStripe\Security\Authenticator;
 use SilverStripe\Security\IdentityStore;
+use SilverStripe\Security\LoginAttempt;
 use SilverStripe\Security\Member;
 use SilverStripe\Security\Security;
 
@@ -119,8 +120,8 @@ public function changepassword()
                 _t(
                     'SilverStripe\\Security\\Security.NOTERESETLINKINVALID',
                     '<p>The password reset link is invalid or expired.</p>'
-                    . '<p>You can request a new one <a href="{link1}">here</a> or change your password after'
-                    . ' you <a href="{link2}">log in</a>.</p>',
+                        . '<p>You can request a new one <a href="{link1}">here</a> or change your password after'
+                        . ' you <a href="{link2}">log in</a>.</p>',
                     [
                         'link1' => Security::lost_password_url(),
                         'link2' => Security::login_url(),
@@ -267,21 +268,35 @@ public function doChangePassword(array $data, $form)
         // Clear locked out status
         $member->LockedOutUntil = null;
         $member->FailedLoginCount = null;
+
         // Clear the members login hashes
         $member->AutoLoginHash = null;
         $member->AutoLoginExpired = DBDatetime::create()->now();
         $member->write();
 
+        // Create a successful 'LoginAttempt' as the password is reset
+        $loginAttempt = LoginAttempt::create();
+        $loginAttempt->Status = LoginAttempt::SUCCESS;
+        $loginAttempt->MemberID = $member->ID;
+
+        if ($member->Email) {
+            $loginAttempt->setEmail($member->Email);
+        }
+
+        $loginAttempt->IP = $this->getRequest()->getIP();
+        $loginAttempt->write();
+
         if ($member->canLogin()) {
             $identityStore = Injector::inst()->get(IdentityStore::class);
             $identityStore->logIn($member, false, $this->getRequest());
         }
 
         $session->clear('AutoLoginHash');
 
-        // Redirect to backurl
+        // Redirect to back url
         $backURL = $this->getBackURL();
-        if ($backURL
+        if (
+            $backURL
             // Don't redirect back to itself
             && $backURL !== Security::singleton()->Link('changepassword')
         ) {