jelix · nworr · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/modules/authloginpass/controllers/passwordEdit.classic.php b/modules/authloginpass/controllers/passwordEdit.classic.php
@@ -0,0 +1,69 @@
+<?php
+/**
+* @author    Laurent Jouanneau <laurent@jelix.org>
+* @copyright 2007-2024 Laurent Jouanneau
+*
+* @link      https://jelix.org
+* @licence   MIT
+*/
+
+use Jelix\Authentication\LoginPass\Config as LoginPassConfig;
+
+class passwordEditCtrl extends jController
+{
+    public $pluginParams = array(
+        '*' => array('auth.required' => true),
+    );
+
+    protected function checkLoginPassConfAllowEdit()
+    {
+        $loginPassConfig = new LoginPassConfig(\jApp::config());
+        if (!$loginPassConfig->isPasswordChangeEnabled()) {
+
+            throw new jHttp403ForbiddenException();
+        }
+    }
+
+    public function show()
+    {
+        $this->checkLoginPassConfAllowEdit();
+        $rep  = $this->getResponse('html');
+        $form = jForms::get('password_edit');
+        if ($form == null) {
+            $form = jForms::create('password_edit');
+        }
+        $tpl = new jTpl();
+        $tpl->assign('form', $form);
+        $rep->body->assign('MAIN', $tpl->fetch('password_edit'));
+
+        return $rep;
+    }
+
+    public function save()
+    {
+        $this->checkLoginPassConfAllowEdit();
+        $form = jForms::fill('password_edit');
+        if ($form == null) {
+            return $this->redirect('passwordEdit:show');
+        }
+        if (!$form->check()) {
+            return $this->redirect('passwordEdit:show');
+        }
+        $currentPassword = $form->getData('current_password');
+        /** @var \loginpassIdentityProvider $idp */
+        $idp = jAuthentication::manager()->getIdpById('loginpass');
+        /** @var \Jelix\Authentication\LoginPass\Manager $lpManager */
+        $lpManager = $idp->getManager();
+        $login = jAuthentication::getCurrentUser()->getLogin();
+        $backEnd = $lpManager->getBackendHavingUser($login);
+        $isCurrentPassValid = $backEnd->verifyAuthentication($login, $currentPassword);
+
+        if (!$isCurrentPassValid) {
+            $form->setErrorOn('current_password', jLocale::get('password.form.create.error.badcurrentpwd'));
+
+            return $this->redirect('passwordEdit:show');
+        }
+        $backEnd->changePassword($login, $form->getData('new_password'));
+        return $this->getResponse('html');
+    }
+}
diff --git a/modules/authloginpass/events.xml b/modules/authloginpass/events.xml
@@ -0,0 +1,5 @@
+<events xmlns="http://jelix.org/ns/events/1.0">
+    <listener name="Jelix\Authentication\LoginPass\ProfileEventListener">
+        <event name="ProfileViewPageEvent" />
+    </listener>
+</events>
diff --git a/modules/authloginpass/forms/password_edit.form.xml b/modules/authloginpass/forms/password_edit.form.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form xmlns="http://jelix.org/ns/forms/1.1">
+
+
+    <secret ref="current_password" required="true" minlength="2" maxlength="120">
+        <label locale="authloginpass~password.form.change.current.password.label" />
+    </secret>
+    <secret ref="new_password" required="true" minlength="12" maxlength="120">
+        <label locale="authloginpass~password.form.change.password.label" />
+        <help locale="authloginpass~password.form.password.help" />
+        <confirm locale="authloginpass~password.form.password.confirm" />
+    </secret>
+
+    <submit ref="pchg_submit">
+        <label locale="authloginpass~password.form.change.submit" />
+    </submit>
+
+</form>
diff --git a/modules/authloginpass/lib/ProfileEventListener.php b/modules/authloginpass/lib/ProfileEventListener.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Jelix\Authentication\LoginPass;
+
+use jAuthentication;
+use jEventListener;
+use jUrl;
+use jLocale;
+use Jelix\Authentication\Account\ProfileViewPageEvent;
+use Jelix\Authentication\LoginPass\Config as LoginPassConfig;
+
+class ProfileEventListener extends jEventListener
+{
+    public function onProfileViewPageEvent(ProfileViewPageEvent $event)
+    {
+        $session = jAuthentication::session();
+        $idp = $session->getIdentityProviderId();
+        if($idp == 'loginpass') {
+            $loginPassConfig = new LoginPassConfig(\jApp::config());
+            // does login pass conf allow password change ?
+            if($loginPassConfig->isPasswordChangeEnabled()) {
+                /** @var \loginpassIdentityProvider $idp */
+                $idp = jAuthentication::manager()->getIdpById('loginpass');
+                /** @var \Jelix\Authentication\LoginPass\Manager $lpManager */
+                $lpManager = $idp->getManager();
+                $login = jAuthentication::getCurrentUser()->getLogin();
+                // check if the backend allow passwordChange
+                if($lpManager->canChangePassword($login)) {
+                    $event->addContent('<a href="'. jUrl::get('authloginpass~passwordEdit:show').'" class="btn btn-primary">'.jLocale::get('authloginpass~password.btn.password.edit').'</a>', 6);
+                }
+            }
+        }
+    }
+}
diff --git a/modules/authloginpass/locales/en_US/password.UTF-8.properties b/modules/authloginpass/locales/en_US/password.UTF-8.properties
@@ -72,4 +72,6 @@ reset.cmdline.mail.undefined = User's email is not defined.
 reset.cmdline.error = There was an error during the password resetting.
 reset.cmdline.help.usage = usage: php cmdline.php jcommunity~reset_pass:reset login
 reset.cmdline.help.description = Send an email with a password reset link to a user.
-reset.cmdline.help.parameter.login = the user's login
+reset.cmdline.help.parameter.login = the user's login
+
+btn.password.edit=Modify your password
diff --git a/modules/authloginpass/locales/fr_FR/password.UTF-8.properties b/modules/authloginpass/locales/fr_FR/password.UTF-8.properties
@@ -73,3 +73,5 @@ reset.cmdline.error = Une erreur a eu lieu pendant la réinitialisation du mot d
 reset.cmdline.help.usage = usage: php cmdline.php jcommunity~reset_pass:reset login
 reset.cmdline.help.description = Envoie un lien de réinitialisation de mot de passe par mail a un utilisateur.
 reset.cmdline.help.parameter.login = le login de l'utilisateur
+
+btn.password.edit=Modifier votre mot de passe
diff --git a/modules/authloginpass/templates/password_edit.tpl b/modules/authloginpass/templates/password_edit.tpl
@@ -0,0 +1,11 @@
+<div>
+    <h1>{@authloginpass~password.form.change.title@}</h1>
+
+    {@authloginpass~password.form.change.text.html@}
+
+    {formfull $form, 'authloginpass~passwordEdit:save', [], 'adminlte', array(
+        'plugins' => array(
+        'new_password' => 'passwordeditor_html'
+    ))}
+
+</div>
diff --git a/modules/authloginpass/urls.xml b/modules/authloginpass/urls.xml
@@ -9,4 +9,7 @@
     <url pathinfo="/signin/reset/code/:request_id/password" action="password_reset:resetpassword" />
     <url pathinfo="/signin/reset/code/:request_id/save" action="password_reset:save" />
     <url pathinfo="/signin/reset/changed" action="password_reset:changed" />
-</suburls>
+
+    <url pathinfo="/password/reset/show" action="passwordEdit:show" />
+    <url pathinfo="/password/reset/save" action="passwordEdit:save" />
+</suburls>
diff --git a/test/testapp/app/system/mainconfig.ini.php b/test/testapp/app/system/mainconfig.ini.php
@@ -210,6 +210,8 @@
 backends[]=inifile
 after_login="adminui~default:index"
 loginResponse=htmllogin
+;set to false to deny password modification
+;passwordChangeEnabled=false
 
 [loginpass:common]
 passwordHashAlgo=1