From 9ba27e532c2d63e9fe083d68af5cf864648a9189 Mon Sep 17 00:00:00 2001
From: Ruediger Schultz <it-solutions@schultz.ch>
Date: Wed, 7 Feb 2018 01:49:46 +0100
Subject: [PATCH] Delete existing user_keys, if password is changed (#17827)

* Delete existing user_keys, if password is changed

* corrected styling issues

* deploy version - as I said, this is my first pr

* pushing to patch-2

* newline after }

* push to patch-2

* push to patch-2

* Update en-GB.com_users.ini

* Update remember.php

* Update remember.xml

* configuration option in XML file

radio button option to activate/deactivate the "reset RememberMe" functionality on password-change.

* Update en-GB.plg_system_remember.ini

* hm...

* Update remember.php

* Update remember.php

* XML styles

* commenting out the user message

* Update remember.php

* Update en-GB.plg_system_remember.ini

* btn-group-yesno

* Update remember.php

* Update remember.php

* reference to Alice Ruggles removed!

* making it mandatory

* Update remember.php

* making it mandatory

* making it mandatory

* making it mandatory

* as per the remarks of Quy

changed

* changed as per Quy's remarks
---
 plugins/system/remember/remember.php | 51 ++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/plugins/system/remember/remember.php b/plugins/system/remember/remember.php
index a6e177bf4b7eb..3608c43b66990 100644
--- a/plugins/system/remember/remember.php
+++ b/plugins/system/remember/remember.php
@@ -94,4 +94,55 @@ public function onUserLogout($user, $options)
 
 		return true;
 	}
+
+	/**
+	 * Method is called before user data is stored in the database
+	 * Invalidate all existing remember-me cookies after a password change
+	 *
+	 * @param   array    $user   Holds the old user data.
+	 * @param   boolean  $isnew  True if a new user is stored.
+	 * @param   array    $data   Holds the new user data.
+	 *
+	 * @return    boolean
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function onUserBeforeSave($user, $isnew, $data)
+	{
+		// Irrelevant on new users
+		if ($isnew)
+		{
+			return true;
+		}
+
+		// Irrelevant, because password was not changed by user
+		if ($data['password_clear'] == '')
+		{
+			return true;
+		}
+
+		/*
+		 * But now, we need to do something 
+		 * Delete all tokens for this user!
+		 */
+		$db = JFactory::getDbo();
+		$query = $db->getQuery(true)
+			->delete('#__user_keys')
+			->where($db->quoteName('user_id') . ' = ' . $db->quote($user['username']));
+		try
+		{
+			$db->setQuery($query)->execute();
+		}
+		catch (RuntimeException $e)
+		{
+			// Log an alert for the site admin
+			JLog::add(
+				sprintf('Failed to delete cookie token for user %s with the following error: %s', $user['username'], $e->getMessage()),
+				JLog::WARNING,
+				'security'
+			);
+		}
+
+		return true;
+	}
 }