Skip to content

V15: User password resetting notification #18679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 9, 2025
Merged

V15: User password resetting notification #18679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d47b75
Introduce UserPasswordResettingNotification
Zeegaan Mar 14, 2025
8bc5ee1
Merge branch 'v15/dev' into v15/feature/user-password-resetting
AndyButland Apr 8, 2025
e073efc
Removed changes to IUserService interface.
AndyButland Apr 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/Umbraco.Cms.Api.Management/Controllers/Security/SecurityControllerBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ protected IActionResult UserOperationStatusResult(UserOperationStatus status, Er
.WithTitle("The password reset token was invalid")
.WithDetail("The specified password reset token was either used already or wrong.")
.Build()),
UserOperationStatus.CancelledByNotification => BadRequest(problemDetailsBuilder
.WithTitle("Cancelled by notification")
.WithDetail("A notification handler prevented the user operation.")
.Build()),
UserOperationStatus.UnknownFailure => BadRequest(problemDetailsBuilder
.WithTitle("Unknown failure")
.WithDetail(errorMessageResult?.Error?.ErrorMessage ?? "The error was unknown")
Expand Down
13 changes: 13 additions & 0 deletions src/Umbraco.Core/Notifications/UserPasswordResettingNotification.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
using Umbraco.Cms.Core.Events;
using Umbraco.Cms.Core.Models.Membership;

namespace Umbraco.Cms.Core.Notifications;

public class UserPasswordResettingNotification : CancelableObjectNotification<IUser>
{
public UserPasswordResettingNotification(IUser target, EventMessages messages) : base(target, messages)
{
}

public IUser User => Target;
}
52 changes: 39 additions & 13 deletions src/Umbraco.Core/Services/UserService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
using System.ComponentModel.DataAnnotations;

Check notice on line 1 in src/Umbraco.Core/Services/UserService.cs

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (v15/dev)

✅ Getting better: Primitive Obsession 

The ratio of primitive types in function arguments decreases from 56.58% to 56.09%, threshold = 30.0%. The functions in this file have too many primitive types (e.g. int, double, float) in their function argument lists. Using many primitive types lead to the code smell Primitive Obsession. Avoid adding more primitive arguments.
using System.Linq.Expressions;
using System.Security.Claims;
using System.Security.Cryptography;
Expand Down Expand Up @@ -1180,58 +1180,67 @@
return keys;
}

/// <inheritdoc/>
public async Task<Attempt<PasswordChangedModel, UserOperationStatus>> ChangePasswordAsync(Guid performingUserKey, ChangeUserPasswordModel model)
{
IServiceScope serviceScope = _serviceScopeFactory.CreateScope();
IBackOfficeUserStore userStore = serviceScope.ServiceProvider.GetRequiredService<IBackOfficeUserStore>();
IUser? performingUser = await userStore.GetAsync(performingUserKey);
if (performingUser is null)
{
return Attempt.FailWithStatus(UserOperationStatus.MissingUser, new PasswordChangedModel());
}

return await ChangePasswordAsync(performingUser, model);
}

private async Task<Attempt<PasswordChangedModel, UserOperationStatus>> ChangePasswordAsync(IUser performingUser, ChangeUserPasswordModel model)
{
IServiceScope serviceScope = _serviceScopeFactory.CreateScope();
using ICoreScope scope = ScopeProvider.CreateCoreScope();
IBackOfficeUserStore userStore = serviceScope.ServiceProvider.GetRequiredService<IBackOfficeUserStore>();

IUser? user = await userStore.GetAsync(model.UserKey);
if (user is null)
{
return Attempt.FailWithStatus(UserOperationStatus.UserNotFound, new PasswordChangedModel());
}

if (user.Kind != UserKind.Default)
{
return Attempt.FailWithStatus(UserOperationStatus.InvalidUserType, new PasswordChangedModel());
}

IUser? performingUser = await userStore.GetAsync(performingUserKey);
if (performingUser is null)
{
return Attempt.FailWithStatus(UserOperationStatus.MissingUser, new PasswordChangedModel());
}

// require old password for self change when outside of invite or resetByToken flows
if (performingUser.UserState != UserState.Invited && performingUser.Username == user.Username && string.IsNullOrEmpty(model.OldPassword) && string.IsNullOrEmpty(model.ResetPasswordToken))
{
return Attempt.FailWithStatus(UserOperationStatus.SelfOldPasswordRequired, new PasswordChangedModel());
}

if (performingUser.IsAdmin() is false && user.IsAdmin())
{
return Attempt.FailWithStatus(UserOperationStatus.Forbidden, new PasswordChangedModel());
}

if (string.IsNullOrEmpty(model.ResetPasswordToken) is false)
{
Attempt<UserOperationStatus> verifyPasswordResetAsync = await VerifyPasswordResetAsync(model.UserKey, model.ResetPasswordToken);
if (verifyPasswordResetAsync.Result != UserOperationStatus.Success)
{
return Attempt.FailWithStatus(verifyPasswordResetAsync.Result, new PasswordChangedModel());
}
}

IBackOfficePasswordChanger passwordChanger = serviceScope.ServiceProvider.GetRequiredService<IBackOfficePasswordChanger>();
Attempt<PasswordChangedModel?> result = await passwordChanger.ChangeBackOfficePassword(
new ChangeBackOfficeUserPasswordModel
{
NewPassword = model.NewPassword,
OldPassword = model.OldPassword,
User = user,
ResetPasswordToken = model.ResetPasswordToken,
}, performingUser);
{
NewPassword = model.NewPassword,
OldPassword = model.OldPassword,
User = user,
ResetPasswordToken = model.ResetPasswordToken,
},
performingUser);

Check notice on line 1243 in src/Umbraco.Core/Services/UserService.cs

View check run for this annotation

CodeScene Delta Analysis / CodeScene Cloud Delta Analysis (v15/dev)

✅ Getting better: Complex Method 

ChangePasswordAsync decreases in cyclomatic complexity from 15 to 14, threshold = 9. This function has many conditional statements (e.g. if, for, while), leading to lower code health. Avoid adding more conditionals and code to it without refactoring.

if (result.Success is false)
{
Expand Down Expand Up @@ -2184,9 +2193,26 @@
public async Task<Attempt<PasswordChangedModel, UserOperationStatus>> ResetPasswordAsync(Guid userKey, string token, string password)
{
using ICoreScope scope = ScopeProvider.CreateCoreScope();
IServiceScope serviceScope = _serviceScopeFactory.CreateScope();

EventMessages evtMsgs = EventMessagesFactory.Get();
IBackOfficeUserStore userStore = serviceScope.ServiceProvider.GetRequiredService<IBackOfficeUserStore>();

IUser? user = await userStore.GetAsync(userKey);
if (user is null)
{
return Attempt.FailWithStatus(UserOperationStatus.UserNotFound, new PasswordChangedModel());
}

var savingNotification = new UserPasswordResettingNotification(user, evtMsgs);
if (await scope.Notifications.PublishCancelableAsync(savingNotification))
{
scope.Complete();
return Attempt.FailWithStatus(UserOperationStatus.CancelledByNotification, new PasswordChangedModel());
}

Attempt<PasswordChangedModel, UserOperationStatus> changePasswordAttempt =
await ChangePasswordAsync(userKey, new ChangeUserPasswordModel
await ChangePasswordAsync(user, new ChangeUserPasswordModel
{
NewPassword = password,
UserKey = userKey,
Expand Down