4 * Controller to handle user password change requests.
7 * Expected REQUEST parameters
8 * $_REQUEST['pk'] - The primary key being used for encryption. The browser would have requested this previously
9 * $_REQUEST['curPass'] - ciphertext of the user's current password
10 * $_REQUEST['newPass'] - ciphertext of the new password to use
11 * $_REQUEST['newPass2']) - second copy of ciphertext of the new password to confirm proper user entry.
15 * @link http://www.open-emr.org
16 * @author Kevin Yeh <kevin.y@integralemr.com>
17 * @author Brady Miller <brady.g.miller@gmail.com>
18 * @copyright Copyright (c) 2013 Kevin Yeh <kevin.y@integralemr.com>
19 * @copyright Copyright (c) 2013 OEMR <www.oemr.org>
20 * @copyright Copyright (c) 2017-2019 Brady Miller <brady.g.miller@gmail.com>
21 * @license https://github.com/openemr/openemr/blob/master/LICENSE CNU General Public License 3
24 // Set $sessionAllowWrite to true to prevent session concurrency issues during authorization related code
25 $sessionAllowWrite = true;
26 require_once("../globals.php");
28 use OpenEMR\Common\Auth\AuthUtils
;
29 use OpenEMR\Common\Csrf\CsrfUtils
;
32 if (!CsrfUtils
::verifyCsrfToken($_POST["csrf_token_form"])) {
33 CsrfUtils
::csrfNotVerified();
37 $curPass = $_REQUEST['curPass'];
38 $newPass = $_REQUEST['newPass'];
39 $newPass2 = $_REQUEST['newPass2'];
41 if ($newPass != $newPass2) {
42 echo "<div class='alert alert-danger'>" . xlt("Passwords Don't match!") . "</div>";
46 $authUtilsUpdatePassword = new AuthUtils();
47 $success = $authUtilsUpdatePassword->updatePassword($_SESSION['authUserID'], $_SESSION['authUserID'], $curPass, $newPass);
49 echo "<div class='alert alert-success'>" . xlt("Password change successful") . "</div>";
51 // If updatePassword fails the error message is returned
52 echo "<div class='alert alert-danger'>" . text($authUtilsUpdatePassword->getErrorMessage()) . "</div>";