Implement change password in Symfony2

Question

What is the best way to implement change password functionality in Symfony2? Right now I'm using this:

$builder->add('password', 'repeated', array(
    'first_name' => 'New password',
    'second_name' => 'Confirm new password',
    'type' => 'password'
));

It should also contain the current password check for security reasons.

Note: I'm not using FOSUserBundle.

score 51 · Accepted Answer · edited Sep 15 '21 at 15:50

Since Symfony 2.3 you can easily use UserPassword validation constraint.

Acme\UserBundle\Form\Model\ChangePassword.php

namespace Acme\UserBundle\Form\Model;

use Symfony\Component\Security\Core\Validator\Constraints as SecurityAssert;
use Symfony\Component\Validator\Constraints as Assert;

class ChangePassword
{
    /**
     * @SecurityAssert\UserPassword(
     *     message = "Wrong value for your current password"
     * )
     */
     protected $oldPassword;

    /**
     * @Assert\Length(
     *     min = 6,
     *     minMessage = "Password should be at least 6 chars long"
     * )
     */
     protected $newPassword;
}

Acme\UserBundle\Form\ChangePasswordType.php

namespace Acme\UserBundle\Form;

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolverInterface;

class ChangePasswordType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $builder->add('oldPassword', 'password');
        $builder->add('newPassword', 'repeated', array(
            'type' => 'password',
            'invalid_message' => 'The password fields must match.',
            'required' => true,
            'first_options'  => array('label' => 'Password'),
            'second_options' => array('label' => 'Repeat Password'),
        ));
    }

    public function setDefaultOptions(OptionsResolverInterface $resolver)
    {
        $resolver->setDefaults(array(
            'data_class' => 'Acme\UserBundle\Form\Model\ChangePassword',
        ));
    }

    public function getName()
    {
        return 'change_passwd';
    }
}

Acme\UserBundle\Controller\DemoController.php

namespace Acme\UserBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Acme\UserBundle\Form\ChangePasswordType;
use Acme\UserBundle\Form\Model\ChangePassword;

class DemoController extends Controller
{
    public function changePasswdAction(Request $request)
    {
      $changePasswordModel = new ChangePassword();
      $form = $this->createForm(new ChangePasswordType(), $changePasswordModel);

      $form->handleRequest($request);

      if ($form->isSubmitted() && $form->isValid()) {
          // perform some action,
          // such as encoding with MessageDigestPasswordEncoder and persist
          return $this->redirect($this->generateUrl('change_passwd_success'));
      }

      return $this->render('AcmeUserBundle:Demo:changePasswd.html.twig', array(
          'form' => $form->createView(),
      ));      
    }
}

@AjayPatel no, it's not possible. `UserPasswordValidator` [uses security context](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php#L37) of current authenticated user — jkucharovic, Feb 13 '14 at 11:03
Is it possible to get access to the formfields to style it in twig? Because in ChangePassword.php there is only one "newPassword" field. — Zwen2012, Nov 20 '14 at 14:42
@Zwen2012: Yes, as demonstrated here in the guide http://symfony.com/doc/current/reference/forms/types/repeated.html — Igor Carmagna, Feb 08 '15 at 07:46
@jkucharovic are getters and setters required for the entity? — Raaz, Mar 10 '15 at 08:53
@jkucharovic this works fine with me. but when my password is 'save password' to browsers, for this form 'old password' is pre filled and if password changed more than once, pre filled passwords are wrong password.. So how can i keep always empty 'old password' i tried 'array('always_empty' => false)' but it didn't work. any solution for this? — Narendra Kothule, Apr 22 '15 at 20:38
See my answer for short version. This answer is way too long. — Taylan, Oct 06 '16 at 10:59

score 9 · Answer 2 · answered Feb 03 '12 at 22:38

You have to either create another model with two fields:

one for the current password;
and the other for the new one.

Or add a non-persisted property to your user model like the FOSUserBundle does (see the plainPassword property).

So once you checked both current and new password are valid, you encode the new password and replace the old one with it.

score 6 · Answer 3 · answered Oct 06 '16 at 10:55

6

Just add this to your form type:

$builder->add('oldPlainPassword', \Symfony\Component\Form\Extension\Core\Type\PasswordType::class, array(
    'constraints' => array(
        new \Symfony\Component\Security\Core\Validator\Constraints\UserPassword(),
    ),
    'mapped' => false,
    'required' => true,
    'label' => 'Current Password',
));

answered Oct 06 '16 at 10:55

Taylan

3,045
3
28
38

2

I have this error when use it->>> The User object must implement the UserInterface interface. – pedram shabani May 31 '18 at 16:23

score 4 · Answer 4 · answered Oct 30 '14 at 06:09

I use a action from my controller:

public function changepasswordAction(Request $request) {
    $session = $request->getSession();

    if($request->getMethod() == 'POST') {
        $old_pwd = $request->get('old_password');
        $new_pwd = $request->get('new_password');
        $user = $this->getUser();
        $encoder = $this->container->get('security.encoder_factory')->getEncoder($user);
        $old_pwd_encoded = $encoder->encodePassword($old_pwd, $user->getSalt());

        if($user->getPassword() != $old_pwd_encoded) {
            $session->getFlashBag()->set('error_msg', "Wrong old password!");
        } else {
            $new_pwd_encoded = $encoder->encodePassword($new_pwd, $user->getSalt());
            $user->setPassword($new_pwd_encoded);
            $manager = $this->getDoctrine()->getManager();
            $manager->persist($user);

            $manager->flush();
            $session->getFlashBag()->set('success_msg', "Password change successfully!");
        }
        return $this->render('@adminlte/profile/change_password.html.twig');
    }

    return $this->render('@adminlte/profile/change_password.html.twig', array(

    ));
}

score 1 · Answer 5 · answered Mar 01 '12 at 21:28

Can't You get old password from User before binding form?

// in action:
$oldpassword = $user->getPassword();

if ($request->getMethod() == 'POST') 
        {
            $form->bindRequest($request);

            if ($form->isValid()) 
            {
                // check password here (by hashing new one)

Implement change password in Symfony2

5 Answers5

Linked