Commit 08b53fb3 by Alexander Makarov

Fixes #5088: new password reset token is now generated only if previous one was…

Fixes #5088: new password reset token is now generated only if previous one was already used or expired
parent 220b60f3
......@@ -95,11 +95,7 @@ class User extends ActiveRecord implements IdentityInterface
*/
public static function findByPasswordResetToken($token)
{
$expire = Yii::$app->params['user.passwordResetTokenExpire'];
$parts = explode('_', $token);
$timestamp = (int) end($parts);
if ($timestamp + $expire < time()) {
// token expired
if (!static::isPasswordResetTokenValid($token)) {
return null;
}
......@@ -110,6 +106,23 @@ class User extends ActiveRecord implements IdentityInterface
}
/**
* Finds out if password reset token is valid
*
* @param string $token password reset token
* @return boolean
*/
public static function isPasswordResetTokenValid($token)
{
if (empty($token)) {
return false;
}
$expire = Yii::$app->params['user.passwordResetTokenExpire'];
$parts = explode('_', $token);
$timestamp = (int) end($parts);
return $timestamp + $expire >= time();
}
/**
* @inheritdoc
*/
public function getId()
......
......@@ -42,7 +42,10 @@ class PasswordResetRequestForm extends Model
]);
if ($user) {
$user->generatePasswordResetToken();
if (!User::isPasswordResetTokenValid($user->password_reset_token)) {
$user->generatePasswordResetToken();
}
if ($user->save()) {
return \Yii::$app->mailer->compose('passwordResetToken', ['user' => $user])
->setFrom([\Yii::$app->params['supportEmail'] => \Yii::$app->name . ' robot'])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment