Delete existing user_keys, if password is changed (#17827)

* Delete existing user_keys, if password is changed * corrected styling issues * deploy version - as I said, this is my first pr * pushing to patch-2 * newline after } * push to patch-2 * push to patch-2 * Update en-GB.com_users.ini * Update remember.php * Update remember.xml * configuration option in XML file radio button option to activate/deactivate the "reset RememberMe" functionality on password-change. * Update en-GB.plg_system_remember.ini * hm... * Update remember.php * Update remember.php * XML styles * commenting out the user message * Update remember.php * Update en-GB.plg_system_remember.ini * btn-group-yesno * Update remember.php * Update remember.php * reference to Alice Ruggles removed! * making it mandatory * Update remember.php * making it mandatory * making it mandatory * making it mandatory * as per the remarks of Quy changed * changed as per Quy's remarks
joomla · Feb 7, 2018 · 9ba27e5 · 9ba27e5
1 parent 16e3d98
commit 9ba27e5
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/plugins/system/remember/remember.php b/plugins/system/remember/remember.php
@@ -94,4 +94,55 @@ public function onUserLogout($user, $options)
 
 		return true;
 	}
+
+	/**
+	 * Method is called before user data is stored in the database
+	 * Invalidate all existing remember-me cookies after a password change
+	 *
+	 * @param   array    $user   Holds the old user data.
+	 * @param   boolean  $isnew  True if a new user is stored.
+	 * @param   array    $data   Holds the new user data.
+	 *
+	 * @return    boolean
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function onUserBeforeSave($user, $isnew, $data)
+	{
+		// Irrelevant on new users
+		if ($isnew)
+		{
+			return true;
+		}
+
+		// Irrelevant, because password was not changed by user
+		if ($data['password_clear'] == '')
+		{
+			return true;
+		}
+
+		/*
+		 * But now, we need to do something 
+		 * Delete all tokens for this user!
+		 */
+		$db = JFactory::getDbo();
+		$query = $db->getQuery(true)
+			->delete('#__user_keys')
+			->where($db->quoteName('user_id') . ' = ' . $db->quote($user['username']));
+		try
+		{
+			$db->setQuery($query)->execute();
+		}
+		catch (RuntimeException $e)
+		{
+			// Log an alert for the site admin
+			JLog::add(
+				sprintf('Failed to delete cookie token for user %s with the following error: %s', $user['username'], $e->getMessage()),
+				JLog::WARNING,
+				'security'
+			);
+		}
+
+		return true;
+	}
 }