ezsystems · lserwatka · Oct 22, 2020 · Oct 12, 2020 · Oct 14, 2020 · Oct 14, 2020
diff --git a/eZ/Bundle/EzPublishCoreBundle/ApiLoader/RepositoryFactory.php b/eZ/Bundle/EzPublishCoreBundle/ApiLoader/RepositoryFactory.php
@@ -16,6 +16,7 @@
 use eZ\Publish\Core\Repository\User\PasswordHashServiceInterface;
 use eZ\Publish\Core\Repository\Helper\RelationProcessor;
 use eZ\Publish\Core\Repository\Mapper;
+use eZ\Publish\Core\Repository\User\PasswordValidatorInterface;
 use eZ\Publish\Core\Search\Common\BackgroundIndexer;
 use eZ\Publish\SPI\Persistence\Filter\Content\Handler as ContentFilteringHandler;
 use eZ\Publish\SPI\Persistence\Filter\Location\Handler as LocationFilteringHandler;
@@ -88,7 +89,8 @@ public function buildRepository(
         LimitationService $limitationService,
         PermissionService $permissionService,
         ContentFilteringHandler $contentFilteringHandler,
-        LocationFilteringHandler $locationFilteringHandler
+        LocationFilteringHandler $locationFilteringHandler,
+        PasswordValidatorInterface $passwordValidator
     ): Repository {
         $config = $this->container->get('ezpublish.api.repository_configuration_provider')->getRepositoryConfig();
 
@@ -111,6 +113,7 @@ public function buildRepository(
             $permissionService,
             $contentFilteringHandler,
             $locationFilteringHandler,
+            $passwordValidator,
             [
                 'role' => [
                     'policyMap' => $this->policyMap,

diff --git a/eZ/Publish/API/Repository/Events/User/BeforeUpdateUserPasswordEvent.php b/eZ/Publish/API/Repository/Events/User/BeforeUpdateUserPasswordEvent.php
@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * @copyright Copyright (C) eZ Systems AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace eZ\Publish\API\Repository\Events\User;
+
+use eZ\Publish\API\Repository\Values\User\User;
+use eZ\Publish\SPI\Repository\Event\BeforeEvent;
+use UnexpectedValueException;
+
+final class BeforeUpdateUserPasswordEvent extends BeforeEvent
+{
+    /** @var \eZ\Publish\API\Repository\Values\User\User */
+    private $user;
+
+    /** @var string */
+    private $newPassword;
+
+    /** @var \eZ\Publish\API\Repository\Values\User\User|null */
+    private $updatedUser;
+
+    public function __construct(User $user, string $newPassword)
+    {
+        $this->user = $user;
+        $this->newPassword = $newPassword;
+    }
+
+    public function getUser(): User
+    {
+        return $this->user;
+    }
+
+    public function getNewPassword(): string
+    {
+        return $this->newPassword;
+    }
+
+    public function getUpdatedUser(): User
+    {
+        if (!$this->hasUpdatedUser()) {
+            throw new UnexpectedValueException(sprintf('Return value is not set or not of type %s. Check hasUpdatedUser() or set it using setUpdatedUser() before you call the getter.', User::class));
+        }
+
+        return $this->updatedUser;
+    }
+
+    public function setUpdatedUser(?User $updatedUser): void
+    {
+        $this->updatedUser = $updatedUser;
+    }
+
+    public function hasUpdatedUser(): bool
+    {
+        return $this->updatedUser instanceof User;
+    }
+}
diff --git a/eZ/Publish/API/Repository/Events/User/UpdateUserPasswordEvent.php b/eZ/Publish/API/Repository/Events/User/UpdateUserPasswordEvent.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * @copyright Copyright (C) eZ Systems AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace eZ\Publish\API\Repository\Events\User;
+
+use eZ\Publish\API\Repository\Values\User\User;
+use eZ\Publish\SPI\Repository\Event\AfterEvent;
+
+final class UpdateUserPasswordEvent extends AfterEvent
+{
+    /** @var \eZ\Publish\API\Repository\Values\User\User */
+    private $user;
+
+    /** @var string */
+    private $newPassword;
+
+    /** @var \eZ\Publish\API\Repository\Values\User\User */
+    private $updatedUser;
+
+    public function __construct(
+        User $updatedUser,
+        User $user,
+        string $newPassword
+    ) {
+        $this->user = $user;
+        $this->newPassword = $newPassword;
+        $this->updatedUser = $updatedUser;
+    }
+
+    public function getUser(): User
+    {
+        return $this->user;
+    }
+
+    public function getNewPassword(): string
+    {
+        return $this->newPassword;
+    }
+
+    public function getUpdatedUser(): User
+    {
+        return $this->updatedUser;
+    }
+}
diff --git a/eZ/Publish/API/Repository/Tests/UserServiceAuthorizationTest.php b/eZ/Publish/API/Repository/Tests/UserServiceAuthorizationTest.php
@@ -297,6 +297,31 @@ public function testUpdateUserThrowsUnauthorizedException()
         /* END: Use Case */
     }
 
+    /**
+     * @covers \eZ\Publish\API\Repository\UserService::updateUserPassword
+     */
+    public function testUpdateUserPasswordThrowsUnauthorizedException(): void
+    {
+        $repository = $this->getRepository();
+        $userService = $repository->getUserService();
+        $permissionResolver = $repository->getPermissionResolver();
+
+        $this->createRoleWithPolicies('CannotChangePassword', []);
+
+        $user = $this->createCustomUserWithLogin(
+            'without_role_password',
+            'without_role_password@example.com',
+            'Anons',
+            'CannotChangePassword'
+        );
+
+        // Now set the currently created "Editor" as current user
+        $permissionResolver->setCurrentUserReference($user);
+
+        $this->expectException(UnauthorizedException::class);
+        $userService->updateUserPassword($user, 'new password');
+    }
+
     /**
      * Test for the assignUserToUserGroup() method.
      *

diff --git a/eZ/Publish/API/Repository/Tests/UserServiceTest.php b/eZ/Publish/API/Repository/Tests/UserServiceTest.php
@@ -2016,6 +2016,35 @@ public function testUpdateUserWithStrongPassword()
         $this->assertInstanceOf(User::class, $user);
     }
 
+    /**
+     * @covers \eZ\Publish\API\Repository\UserService::updateUserPassword
+     */
+    public function testUpdateUserPasswordWorksWithUserPasswordRole(): void
+    {
+        $repository = $this->getRepository();
+        $userService = $repository->getUserService();
+        $permissionResolver = $repository->getPermissionResolver();
+
+        $this->createRoleWithPolicies('CanChangePassword', [
+            ['module' => 'user', 'function' => 'password'],
+        ]);
+
+        $user = $this->createCustomUserWithLogin(
+            'with_role_password',
+            'with_role_password@example.com',
+            'Anons',
+            'CanChangePassword'
+        );
+        $previousHash = $user->passwordHash;
+
+        $permissionResolver->setCurrentUserReference($user);
+
+        $userService->updateUserPassword($user, 'new password');
+
+        $user = $userService->loadUserByLogin('with_role_password');
+        $this->assertNotEquals($previousHash, $user->passwordHash);
+    }
+
     /**
      * Test for the loadUserGroupsOfUser() method.
      *

diff --git a/eZ/Publish/API/Repository/UserService.php b/eZ/Publish/API/Repository/UserService.php
@@ -218,21 +218,29 @@ public function deleteUser(User $user): iterable;
     /**
      * Updates a user.
      *
-     * 4.x: If the versionUpdateStruct is set in the user update structure, this method internally creates a content draft, updates ts with the provided data
+     * 4.x: If the versionUpdateStruct is set in the user update structure, this method internally creates a content draft, updates it with the provided data
      * and publishes the draft. If a draft is explicitly required, the user group can be updated via the content service methods.
      *
      * @param \eZ\Publish\API\Repository\Values\User\User $user
      * @param \eZ\Publish\API\Repository\Values\User\UserUpdateStruct $userUpdateStruct
      *
      * @return \eZ\Publish\API\Repository\Values\User\User
      *
-     *@throws \eZ\Publish\API\Repository\Exceptions\ContentFieldValidationException if a field in the $userUpdateStruct is not valid
+     * @throws \eZ\Publish\API\Repository\Exceptions\ContentFieldValidationException if a field in the $userUpdateStruct is not valid
      * @throws \eZ\Publish\API\Repository\Exceptions\ContentValidationException if a required field is set empty
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if a field value is not accepted by the field type
      * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to update the user
      */
     public function updateUser(User $user, UserUpdateStruct $userUpdateStruct): User;
 
+    /**
+     * Updates user's password.
+     *
+     * @throws \eZ\Publish\API\Repository\Exceptions\ContentFieldValidationException if new password does not pass validation
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the authenticated user is not allowed to update the user
+     */
+    public function updateUserPassword(User $user, string $newPassword): User;
+
     /**
      * Update the user token information specified by the user token struct.
      *

diff --git a/eZ/Publish/Core/Base/Container/ApiLoader/RepositoryFactory.php b/eZ/Publish/Core/Base/Container/ApiLoader/RepositoryFactory.php
@@ -14,6 +14,7 @@
 use eZ\Publish\Core\Repository\User\PasswordHashServiceInterface;
 use eZ\Publish\Core\Repository\Helper\RelationProcessor;
 use eZ\Publish\Core\Repository\Mapper;
+use eZ\Publish\Core\Repository\User\PasswordValidatorInterface;
 use eZ\Publish\Core\Search\Common\BackgroundIndexer;
 use eZ\Publish\SPI\Persistence\Filter\Content\Handler as ContentFilteringHandler;
 use eZ\Publish\SPI\Persistence\Filter\Location\Handler as LocationFilteringHandler;
@@ -79,6 +80,7 @@ public function buildRepository(
         PermissionService $permissionService,
         ContentFilteringHandler $contentFilteringHandler,
         LocationFilteringHandler $locationFilteringHandler,
+        PasswordValidatorInterface $passwordValidator,
         array $languages
     ): Repository {
         return new $this->repositoryClass(
@@ -100,6 +102,7 @@ public function buildRepository(
             $permissionService,
             $contentFilteringHandler,
             $locationFilteringHandler,
+            $passwordValidator,
             [
                 'role' => [
                     'policyMap' => $this->policyMap,

diff --git a/eZ/Publish/Core/Base/Exceptions/MissingUserFieldTypeException.php b/eZ/Publish/Core/Base/Exceptions/MissingUserFieldTypeException.php
@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * @copyright Copyright (C) eZ Systems AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+namespace eZ\Publish\Core\Base\Exceptions;
+
+use eZ\Publish\API\Repository\Values\ContentType\ContentType;
+
+/**
+ * @internal
+ */
+final class MissingUserFieldTypeException extends ContentValidationException
+{
+    public function __construct(ContentType $contentType, string $fieldType)
+    {
+        parent::__construct(
+            'The provided Content Type "%contentType%" does not contain the %fieldType% Field Type',
+            [
+                'contentType' => $contentType->identifier,
+                'fieldType' => $fieldType,
+            ]
+        );
+    }
+}
diff --git a/eZ/Publish/Core/Event/UserService.php b/eZ/Publish/Core/Event/UserService.php
@@ -8,6 +8,8 @@
 
 namespace eZ\Publish\Core\Event;
 
+use eZ\Publish\API\Repository\Events\User\BeforeUpdateUserPasswordEvent;
+use eZ\Publish\API\Repository\Events\User\UpdateUserPasswordEvent;
 use eZ\Publish\API\Repository\UserService as UserServiceInterface;
 use eZ\Publish\API\Repository\Values\User\User;
 use eZ\Publish\API\Repository\Values\User\UserCreateStruct;
@@ -228,6 +230,58 @@ public function updateUser(
         return $updatedUser;
     }
 
+    public function updateUserPassword(
+        User $user,
+        string $newPassword
+    ): User {
+        $eventData = [
+            $user,
+            new UserUpdateStruct([
+                'password' => $newPassword,
+            ]),
+        ];
+
+        /**
+         * @deprecated since eZ Platform by Ibexa v3.1. listening on BeforeUpdateUserEvent when updating password has been deprecated. Use BeforeUpdateUserPasswordEvent instead.
+         */
+        $beforeEvent = new BeforeUpdateUserEvent(...$eventData);
+
+        $this->eventDispatcher->dispatch($beforeEvent);
+        if ($beforeEvent->isPropagationStopped()) {
+            return $beforeEvent->getUpdatedUser();
+        }
+
+        $beforePasswordEvent = new BeforeUpdateUserPasswordEvent($user, $newPassword);
+
+        $this->eventDispatcher->dispatch($beforePasswordEvent);
+        if ($beforePasswordEvent->isPropagationStopped()) {
+            return $beforePasswordEvent->getUpdatedUser();
+        }
+
+        if ($beforeEvent->hasUpdatedUser()) {
+            $updatedUser = $beforeEvent->getUpdatedUser();
+        } elseif ($beforePasswordEvent->hasUpdatedUser()) {
+            $updatedUser = $beforePasswordEvent->getUpdatedUser();
+        } else {
+            $updatedUser = $this->innerService->updateUserPassword($user, $newPassword);
+        }
+
+        /**
+         * @deprecated since eZ Platform by Ibexa v3.1. Listening on UpdateUserEvent when updating password has been deprecated. Use UpdateUserPasswordEvent instead.
+         */
+        $afterEvent = new UpdateUserEvent($updatedUser, ...$eventData);
+        $this->eventDispatcher->dispatch(
+            $afterEvent
+        );
+
+        $afterPasswordEvent = new UpdateUserPasswordEvent($updatedUser, $user, $newPassword);
+        $this->eventDispatcher->dispatch(
+            $afterPasswordEvent
+        );
+
+        return $updatedUser;
+    }
+
     public function updateUserToken(
         User $user,
         UserTokenUpdateStruct $userTokenUpdateStruct

diff --git a/eZ/Publish/Core/Persistence/Cache/UserHandler.php b/eZ/Publish/Core/Persistence/Cache/UserHandler.php
@@ -215,6 +215,21 @@ public function update(User $user)
         return $user;
     }
 
+    public function updatePassword(User $user): void
+    {
+        $this->logger->logCall(__METHOD__, ['user-login' => $user->login]);
+
+        $this->persistenceHandler->userHandler()->updatePassword($user);
+
+        // Clear corresponding content cache as update of the User changes it's external data
+        $this->cache->invalidateTags(['content-' . $user->id, 'user-' . $user->id]);
+        // Clear especially by email key as it might already be cached and this might represent change to email
+        $this->cache->deleteItems([
+            'ez-user-' . $this->escapeForCacheKey($user->email) . '-by-email',
+            'ez-users-' . $this->escapeForCacheKey($user->email) . '-by-email',
+        ]);
+    }
+
     /**
      * {@inheritdoc}
      */

diff --git a/eZ/Publish/Core/Persistence/Legacy/User/Gateway.php b/eZ/Publish/Core/Persistence/Legacy/User/Gateway.php
@@ -8,6 +8,7 @@
 
 namespace eZ\Publish\Core\Persistence\Legacy\User;
 
+use eZ\Publish\SPI\Persistence\User;
 use eZ\Publish\SPI\Persistence\User\UserTokenUpdateStruct;
 
 /**
@@ -39,6 +40,13 @@ abstract public function loadByEmail(string $email): array;
      */
     abstract public function loadUserByToken(string $hash): array;
 
+    /**
+     * Update the user password as specified by the user struct.
+     *
+     * @param \eZ\Publish\SPI\Persistence\User $user
+     */
+    abstract public function updateUserPassword(User $user): void;
+
     /**
      * Update a User token specified by UserTokenUpdateStruct.
      *