class PasswordExpirationMiddleware implements HTTPMiddleware (View source)

Check if authenticated user has password expired.

Depending on the configuration there are following outcomes:

  • if the current requested URL whitelisted, then allow to process further
  • else if the change password form URL is set, then redirect to it
  • else set current user to null (deauthenticate for the current request) and process further

Traits

Provides extensions to this object to integrate it with standard config API methods.

Constants

SESSION_KEY_REDIRECT

Session key for persisting URL of the password change form

SESSION_KEY_ALLOW_CURRENT_REQUEST

Session key for persisting a flag allowing to process the current request without performing password expiration check

Config options

whitelisted_url_startswith string[]

List of URL patterns allowed for users to visit where URL starts with the pattern

default_redirect string

Where users with expired passwords get redirected by default when login form didn't register a custom one with {SilverStripe\Security\AuthenticationMiddleware::setRedirect}

mimetypes_allowing_redirect string[]

The list of mimetypes allowing a redirect to a change password form.

Properties

Methods

public static 
config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

public
mixed
uninherited(string $name)

Gets the uninherited value for the given config option

public
process(HTTPRequest $request, callable $delegate)

Generate response for the given request

protected
HTTPResponse|null
checkForExpiredPassword(HTTPRequest $request)

Check if the just authenticated member has the password expired.

protected
HTTPResponse|null
handleExpiredPassword(HTTPRequest $request)

Check if we have a redirect to a password change form registered and redirect there if possible.

protected static 
string
absoluteUrl(string $url)

Builds an absolute URL for the given path, adds base url if the path configured as absolute

public static 
setRedirect(Session $session, string $url)

Preserve the password change URL in the session That URL is to be redirected to to force users change expired passwords

public static 
allowCurrentRequest(Session $session)

Allow the current request to be finished without password expiration check

Details

static Config_ForClass config()

Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).

Return Value

Config_ForClass

mixed uninherited(string $name)

Gets the uninherited value for the given config option

Parameters

string $name

Return Value

mixed

HTTPResponse process(HTTPRequest $request, callable $delegate)

Generate response for the given request

Parameters

HTTPRequest $request
callable $delegate

Return Value

HTTPResponse

protected HTTPResponse|null checkForExpiredPassword(HTTPRequest $request)

Check if the just authenticated member has the password expired.

Returns a response if the current request should not be processed as usual.

Parameters

HTTPRequest $request

Return Value

HTTPResponse|null

protected HTTPResponse|null handleExpiredPassword(HTTPRequest $request)

Check if we have a redirect to a password change form registered and redirect there if possible.

Otherwise, deauthenticate the user by resetting it for this request, since we should treat ones with expired passwords as unauthorised.

Parameters

HTTPRequest $request

Return Value

HTTPResponse|null

static protected string absoluteUrl(string $url)

Builds an absolute URL for the given path, adds base url if the path configured as absolute

Parameters

string $url

Return Value

string

static setRedirect(Session $session, string $url)

Preserve the password change URL in the session That URL is to be redirected to to force users change expired passwords

Parameters

Session $session

Session where we persist the redirect URL

string $url

change password form address

static allowCurrentRequest(Session $session)

Allow the current request to be finished without password expiration check

Parameters

Session $session

Session where we persist the redirect URL