Implement change password in Symfony2

Question

What is the best way to implement change password functionality in Symfony2? Right now I'm using this:

$builder->add('password', 'repeated', array(
    'first_name' => 'New password',
    'second_name' => 'Confirm new password',
    'type' => 'password'
));

It should also contain the current password check for security reasons.

Note: I'm not using FOSUserBundle.

Lewis · Accepted Answer · 2021-09-15 15:50:13Z

51

Since Symfony 2.3 you can easily use UserPassword validation constraint.

Acme\UserBundle\Form\Model\ChangePassword.php

namespace Acme\UserBundle\Form\Model;

use Symfony\Component\Security\Core\Validator\Constraints as SecurityAssert;
use Symfony\Component\Validator\Constraints as Assert;

class ChangePassword
{
    /**
     * @SecurityAssert\UserPassword(
     *     message = "Wrong value for your current password"
     * )
     */
     protected $oldPassword;

    /**
     * @Assert\Length(
     *     min = 6,
     *     minMessage = "Password should be at least 6 chars long"
     * )
     */
     protected $newPassword;
}

Acme\UserBundle\Form\ChangePasswordType.php

namespace Acme\UserBundle\Form;

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolverInterface;

class ChangePasswordType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $builder->add('oldPassword', 'password');
        $builder->add('newPassword', 'repeated', array(
            'type' => 'password',
            'invalid_message' => 'The password fields must match.',
            'required' => true,
            'first_options'  => array('label' => 'Password'),
            'second_options' => array('label' => 'Repeat Password'),
        ));
    }

    public function setDefaultOptions(OptionsResolverInterface $resolver)
    {
        $resolver->setDefaults(array(
            'data_class' => 'Acme\UserBundle\Form\Model\ChangePassword',
        ));
    }

    public function getName()
    {
        return 'change_passwd';
    }
}

Acme\UserBundle\Controller\DemoController.php

namespace Acme\UserBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Acme\UserBundle\Form\ChangePasswordType;
use Acme\UserBundle\Form\Model\ChangePassword;

class DemoController extends Controller
{
    public function changePasswdAction(Request $request)
    {
      $changePasswordModel = new ChangePassword();
      $form = $this->createForm(new ChangePasswordType(), $changePasswordModel);

      $form->handleRequest($request);

      if ($form->isSubmitted() && $form->isValid()) {
          // perform some action,
          // such as encoding with MessageDigestPasswordEncoder and persist
          return $this->redirect($this->generateUrl('change_passwd_success'));
      }

      return $this->render('AcmeUserBundle:Demo:changePasswd.html.twig', array(
          'form' => $form->createView(),
      ));      
    }
}

edited Sep 15, 2021 at 15:50

Lewis

3,4253 gold badges32 silver badges26 bronze badges

answered Aug 27, 2013 at 8:15

jkucharovic

4,2441 gold badge33 silver badges46 bronze badges

Sign up to request clarification or add additional context in comments.

7 Comments

Ajay Patel Over a year ago

is it possible to change the password without login?

jkucharovic Over a year ago

@AjayPatel no, it's not possible. UserPasswordValidator uses security context of current authenticated user

Zwen2012 Over a year ago

Is it possible to get access to the formfields to style it in twig? Because in ChangePassword.php there is only one "newPassword" field.

Igor Carmagna Over a year ago

@Zwen2012: Yes, as demonstrated here in the guide symfony.com/doc/current/reference/forms/types/repeated.html

Narendra Kothule Over a year ago

@jkucharovic this works fine with me. but when my password is 'save password' to browsers, for this form 'old password' is pre filled and if password changed more than once, pre filled passwords are wrong password.. So how can i keep always empty 'old password' i tried 'array('always_empty' => false)' but it didn't work. any solution for this?

|

Herzult · Accepted Answer · 2012-02-03 22:38:24Z

9

You have to either create another model with two fields:

one for the current password;
and the other for the new one.

Or add a non-persisted property to your user model like the FOSUserBundle does (see the plainPassword property).

So once you checked both current and new password are valid, you encode the new password and replace the old one with it.

answered Feb 3, 2012 at 22:38

Herzult

3,41925 silver badges15 bronze badges

Comments

Taylan · Accepted Answer · 2016-10-06 10:55:41Z

6

Just add this to your form type:

$builder->add('oldPlainPassword', \Symfony\Component\Form\Extension\Core\Type\PasswordType::class, array(
    'constraints' => array(
        new \Symfony\Component\Security\Core\Validator\Constraints\UserPassword(),
    ),
    'mapped' => false,
    'required' => true,
    'label' => 'Current Password',
));

answered Oct 6, 2016 at 10:55

Taylan

3,1874 gold badges32 silver badges41 bronze badges

1 Comment

pedram shabani Over a year ago

I have this error when use it->>> The User object must implement the UserInterface interface.

Le Hoai Duc · Accepted Answer · 2014-10-30 06:09:36Z

I use a action from my controller:

public function changepasswordAction(Request $request) {
    $session = $request->getSession();

    if($request->getMethod() == 'POST') {
        $old_pwd = $request->get('old_password');
        $new_pwd = $request->get('new_password');
        $user = $this->getUser();
        $encoder = $this->container->get('security.encoder_factory')->getEncoder($user);
        $old_pwd_encoded = $encoder->encodePassword($old_pwd, $user->getSalt());

        if($user->getPassword() != $old_pwd_encoded) {
            $session->getFlashBag()->set('error_msg', "Wrong old password!");
        } else {
            $new_pwd_encoded = $encoder->encodePassword($new_pwd, $user->getSalt());
            $user->setPassword($new_pwd_encoded);
            $manager = $this->getDoctrine()->getManager();
            $manager->persist($user);

            $manager->flush();
            $session->getFlashBag()->set('success_msg', "Password change successfully!");
        }
        return $this->render('@adminlte/profile/change_password.html.twig');
    }

    return $this->render('@adminlte/profile/change_password.html.twig', array(

    ));
}

jpass · Accepted Answer · 2012-03-01 21:28:54Z

1

Can't You get old password from User before binding form?

// in action:
$oldpassword = $user->getPassword();

if ($request->getMethod() == 'POST') 
        {
            $form->bindRequest($request);

            if ($form->isValid()) 
            {
                // check password here (by hashing new one)

answered Mar 1, 2012 at 21:28

jpass

111 bronze badge

Collectives™ on Stack Overflow

Implement change password in Symfony2

5 Answers 5

7 Comments

Comments

1 Comment

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

7 Comments

Comments

1 Comment

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related