From 267cdd2aeebf6f63d362f250d08098ff81c16032 Mon Sep 17 00:00:00 2001
From: bruno DA SILVA <bruno.dasilva@combodo.com>
Date: Thu, 28 Nov 2019 08:51:42 +0100
Subject: [PATCH] =?UTF-8?q?n=C2=B0524=20-=20password=20policy=20=20-=20"pa?=
 =?UTF-8?q?ssword=20reset"=20workflow=20now=20handle=20gracefully=20the=20?=
 =?UTF-8?q?policy=20enforcement.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/loginwebpage.class.inc.php        | 18 +++++--
 core/userrights.class.inc.php                 |  1 +
 .../login/password/resetpwdform.html.twig     | 53 ++++++++++---------
 3 files changed, 44 insertions(+), 28 deletions(-)

diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php
index 751124bd5..b1fef599c 100644
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -245,7 +245,7 @@ class LoginWebPage extends NiceWebPage
 		}
 	}
 
-	public function DisplayResetPwdForm()
+	public function DisplayResetPwdForm($sErrorMessage = null)
 	{
 		$sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
 		$sToken = utils::ReadParam('token', '', false, 'raw_data');
@@ -258,6 +258,8 @@ class LoginWebPage extends NiceWebPage
 
 		$aVars['sAuthUser'] = $sAuthUser;
 		$aVars['sToken'] = $sToken;
+		$aVars['sErrorMessage'] = $sErrorMessage;
+
 		if (($oUser == null))
 		{
 			$aVars['bNoUser'] = true;
@@ -288,6 +290,7 @@ class LoginWebPage extends NiceWebPage
 		$sNewPwd = utils::ReadPostedParam('new_pwd', '', 'raw_data');
 
 		UserRights::Login($sAuthUser); // Set the user's language
+		/** @var \UserLocal $oUser */
 		$oUser = UserRights::GetUserObject();
 
 		$oTwigContext = new LoginTwigRenderer();
@@ -1032,8 +1035,17 @@ class LoginWebPage extends NiceWebPage
 		}
 		else if ($operation == 'do_reset_pwd')
 		{
-			$oPage = self::NewLoginWebPage();
-			$oPage->DoResetPassword();
+
+			try {
+				$oPage = self::NewLoginWebPage();
+				$oPage->DoResetPassword();
+			}
+			catch (CoreCannotSaveObjectException $e)
+			{
+				$oPage = self::NewLoginWebPage();
+				$oPage->DisplayResetPwdForm($e->getIssue());
+			}
+
 			$oPage->output();
 			exit;
 		}
diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php
index 0aceccc47..309565a43 100644
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -837,6 +837,7 @@ class UserRights
 		}
 	}
 
+	/** User */
 	public static function GetUserObject()
 	{
 		if (is_null(self::$m_oUser))
diff --git a/templates/login/password/resetpwdform.html.twig b/templates/login/password/resetpwdform.html.twig
index b63ec0ef3..bf18e24c6 100644
--- a/templates/login/password/resetpwdform.html.twig
+++ b/templates/login/password/resetpwdform.html.twig
@@ -7,36 +7,39 @@
 	<div id="login-content">
 		<div id="login-title">
 			<h1>{{ 'UI:ResetPwd-Title'|dict_s }}</h1>
-			{% if bNoUser %}
+			{% if bNoUser and sErrorMessage is null %}
 				<p>{{ 'UI:ResetPwd-Error-WrongLogin'|dict_format(sAuthUser) }}</p>
-			{% elseif bBadToken %}
+			{% elseif bBadToken and sErrorMessage is null %}
 				<p>{{ 'UI:ResetPwd-Error-InvalidToken'|dict_s }}</p>
 			{% else %}
-			<p>{{ 'UI:ResetPwd-Error-EnterPassword'|dict_format(sUserName) }}</p>
-		</div>
-		<div id="login-form">
-				<form method="post">
-					<div id="login-form-content">
-						<div id="login-input">
-							<div>
-								<label for="new_pwd">{{ 'UI:Login:NewPasswordPrompt'|dict_s }}:</label>
-								<input type="password" id="new_pwd" name="new_pwd" value="" />
+				{% if sErrorMessage is not null %}
+					<p class="hilite">{{ sErrorMessage|raw }}</p>
+				{% endif %}
+				<p>{{ 'UI:ResetPwd-Error-EnterPassword'|dict_format(sUserName) }}</p>
+			</div>
+			<div id="login-form">
+					<form method="post">
+						<div id="login-form-content">
+							<div id="login-input">
+								<div>
+									<label for="new_pwd">{{ 'UI:Login:NewPasswordPrompt'|dict_s }}:</label>
+									<input type="password" id="new_pwd" name="new_pwd" value="" />
+								</div>
+								<div>
+									<label for="retype_new_pwd">{{ 'UI:Login:RetypeNewPasswordPrompt'|dict_s }}:</label>
+									<input type="password" id="retype_new_pwd" name="retype_new_pwd" value="" />
+								</div>
 							</div>
-							<div>
-								<label for="retype_new_pwd">{{ 'UI:Login:RetypeNewPasswordPrompt'|dict_s }}:</label>
-								<input type="password" id="retype_new_pwd" name="retype_new_pwd" value="" />
+							<div id="login-submit">
+								<div>
+									<input type="submit" onClick="return DoCheckPwd();" value="{{ 'UI:Button:ChangePassword'|dict_s }}" />
+								</div>
 							</div>
-						</div>
-						<div id="login-submit">
-							<div>
-								<input type="submit" onClick="return DoCheckPwd();" value="{{ 'UI:Button:ChangePassword'|dict_s }}" />
-							</div>
-						</div>
-				</div>
-				<input type="hidden" name="loginop" value="do_reset_pwd" />
-				<input type="hidden" name="auth_user" value="{{ sAuthUser }}" />
-				<input type="hidden" name="token" value="{{ sToken }}" />
-			</form>
+					</div>
+					<input type="hidden" name="loginop" value="do_reset_pwd" />
+					<input type="hidden" name="auth_user" value="{{ sAuthUser }}" />
+					<input type="hidden" name="token" value="{{ sToken }}" />
+				</form>
 			{% endif %}
 		</div>
 	</div>