Merge remote-tracking branch 'troll/MAGETWO-62966' into troll-bugfix-pr

Author: Oleksandr Dubovyk

app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php

@@ -11,6 +11,8 @@
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\Exception\InputException;
+use Magento\Customer\Model\Customer\CredentialsValidator;
+use Magento\Framework\App\ObjectManager;
 
 class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
 {
@@ -25,21 +27,30 @@ class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
+    /**
+     * @var CredentialsValidator
+     */
+    private $credentialsValidator;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $accountManagement
      * @param CustomerRepositoryInterface $customerRepository
+     * @param CredentialsValidator|null $credentialsValidator
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $accountManagement,
-        CustomerRepositoryInterface $customerRepository
+        CustomerRepositoryInterface $customerRepository,
+        CredentialsValidator $credentialsValidator = null
     ) {
         $this->session = $customerSession;
         $this->accountManagement = $accountManagement;
         $this->customerRepository = $customerRepository;
+        $this->credentialsValidator = $credentialsValidator ?: ObjectManager::getInstance()
+            ->get(CredentialsValidator::class);
         parent::__construct($context);
     }
 
@@ -72,6 +83,7 @@ public function execute()
 
         try {
             $customerEmail = $this->customerRepository->getById($customerId)->getEmail();
+            $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $password);
             $this->accountManagement->resetPassword($customerEmail, $resetPasswordToken, $password);
             $this->session->unsRpToken();
             $this->session->unsRpCustomerId();

app/code/Magento/Customer/Model/AccountManagement.php

@@ -46,6 +46,7 @@
 use Magento\Framework\Stdlib\DateTime;
 use Magento\Framework\Stdlib\StringUtils as StringHelper;
 use Magento\Store\Model\StoreManagerInterface;
+use Magento\Customer\Model\Customer\CredentialsValidator;
 
 /**
  * Handle various customer account actions
@@ -287,6 +288,11 @@ class AccountManagement implements AccountManagementInterface
      */
     private $eavValidator;
 
+    /**
+     * @var CredentialsValidator
+     */
+    private $credentialsValidator;
+
     /**
      * @param CustomerFactory $customerFactory
      * @param ManagerInterface $eventManager
@@ -311,6 +317,7 @@ class AccountManagement implements AccountManagementInterface
      * @param CustomerModel $customerModel
      * @param ObjectFactory $objectFactory
      * @param ExtensibleDataObjectConverter $extensibleDataObjectConverter
+     * @param CredentialsValidator|null $credentialsValidator
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -336,7 +343,8 @@ public function __construct(
         DateTime $dateTime,
         CustomerModel $customerModel,
         ObjectFactory $objectFactory,
-        ExtensibleDataObjectConverter $extensibleDataObjectConverter
+        ExtensibleDataObjectConverter $extensibleDataObjectConverter,
+        CredentialsValidator $credentialsValidator = null
     ) {
         $this->customerFactory = $customerFactory;
         $this->eventManager = $eventManager;
@@ -361,6 +369,8 @@ public function __construct(
         $this->customerModel = $customerModel;
         $this->objectFactory = $objectFactory;
         $this->extensibleDataObjectConverter = $extensibleDataObjectConverter;
+        $this->credentialsValidator = $credentialsValidator ?: ObjectManager::getInstance()
+            ->get(CredentialsValidator::class);
     }
 
     /**
@@ -655,6 +665,12 @@ public function createAccount(CustomerInterface $customer, $password = null, $re
     {
         if ($password !== null) {
             $this->checkPasswordStrength($password);
+            $customerEmail = $customer->getEmail();
+            try {
+                $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $password);
+            } catch (InputException $e) {
+                throw new LocalizedException(__('Password cannot be the same as email address.'));
+            }
             $hash = $this->createPasswordHash($password);
         } else {
             $hash = null;
@@ -826,6 +842,8 @@ private function changePasswordForCustomer($customer, $currentPassword, $newPass
         } catch (InvalidEmailOrPasswordException $e) {
             throw new InvalidEmailOrPasswordException(__('The password doesn\'t match this account.'));
         }
+        $customerEmail = $customer->getEmail();
+        $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $newPassword);
         $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
         $customerSecure->setRpToken(null);
         $customerSecure->setRpTokenCreatedAt(null);

app/code/Magento/Customer/Model/Customer/CredentialsValidator.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ *
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Customer\Model\Customer;
+
+use Magento\Framework\Exception\InputException;
+
+class CredentialsValidator
+{
+    /**
+     * Check that password is different from email.
+     *
+     * @param string $email
+     * @param string $password
+     * @return void
+     * @throws InputException
+     */
+    public function checkPasswordDifferentFromEmail($email, $password)
+    {
+        if (strcasecmp($password, $email) == 0) {
+            throw new InputException(__('Password cannot be the same as email address.'));
+        }
+    }
+}

app/code/Magento/Customer/Test/Unit/Model/Customer/CredentialsValidatorTest.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Customer\Test\Unit\Model\Customer;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+class CredentialsValidatorTest extends \PHPUnit_Framework_TestCase
+{
+    private $objectManagerHelper;
+    private $object;
+
+    protected function setUp()
+    {
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+
+        $this->object = $this->objectManagerHelper
+            ->getObject(\Magento\Customer\Model\Customer\CredentialsValidator::class);
+    }
+
+    /**
+     * @expectedException \Magento\Framework\Exception\InputException
+     * @expectedExceptionMessage Password cannot be the same as email address.
+     */
+    public function testCheckPasswordDifferentFromEmail()
+    {
+        $email = 'test1@example.com';
+        $password = strtoupper($email); // for case-insensitive check
+
+        $this->object->checkPasswordDifferentFromEmail($email, $password);
+    }
+}

app/code/Magento/Customer/view/frontend/templates/form/edit.phtml

@@ -50,7 +50,7 @@
                 <input type="password" class="input-text" name="current_password" id="current-password" data-input="current-password" autocomplete="off" />
             </div>
         </div>
-        <div class="field new password required" data-container="new-password" data-mage-init='{"passwordStrengthIndicator": {}}'>
+        <div class="field new password required" data-container="new-password">
             <label class="label" for="password"><span><?php echo $block->escapeHtml(__('New Password')) ?></span></label>
             <div class="control">
                 <input type="password" class="input-text" name="password" id="password"
@@ -126,6 +126,11 @@
                 "titleChangePassword": "<?php echo $block->escapeJs($block->escapeHtml(__('Change Password'))) ?>",
                 "titleChangeEmailAndPassword": "<?php echo $block->escapeJs($block->escapeHtml(__('Change Email and Password'))) ?>"
             }
+        },
+        "[data-container=new-password]": {
+            "passwordStrengthIndicator": {
+                "formSelector": "form.form-edit-account"
+            }
         }
     }
 </script>

app/code/Magento/Customer/view/frontend/templates/form/register.phtml

@@ -133,7 +133,7 @@
                 <input type="email" name="email" autocomplete="email" id="email_address" value="<?php echo $block->escapeHtmlAttr($block->getFormData()->getEmail()) ?>" title="<?php echo $block->escapeHtmlAttr(__('Email')) ?>" class="input-text" data-validate="{required:true, 'validate-email':true}">
             </div>
         </div>
-        <div class="field password required" data-mage-init='{"passwordStrengthIndicator": {}}'>
+        <div class="field password required">
             <label for="password" class="label"><span><?php echo $block->escapeHtml(__('Password')) ?></span></label>
             <div class="control">
                 <input type="password" name="password" id="password"
@@ -220,3 +220,13 @@ require([
     }
 </script>
 <?php endif; ?>
+
+<script type="text/x-magento-init">
+    {
+        ".field.password": {
+            "passwordStrengthIndicator": {
+                "formSelector": "form.form-create-account"
+            }
+        }
+    }
+</script>

app/code/Magento/Customer/view/frontend/web/change-email-password.js

@@ -34,6 +34,19 @@ define([
             }, this));
 
             this._checkChoice();
+            this._bind();
+        },
+
+        /**
+         * Event binding, will monitor change, keyup and paste events.
+         * @private
+         */
+        _bind: function () {
+            this._on($(this.options.emailSelector), {
+                'change': this._updatePasswordFieldWithEmailValue,
+                'keyup': this._updatePasswordFieldWithEmailValue,
+                'paste': this._updatePasswordFieldWithEmailValue
+            });
         },
 
         /**
@@ -67,10 +80,7 @@ define([
 
             $(this.options.currentPasswordSelector).attr('data-validate', '{required:true}').prop('disabled', false);
             $(this.options.emailSelector).attr('data-validate', '{required:true}').prop('disabled', false);
-            $(this.options.newPasswordSelector).attr(
-                'data-validate',
-                '{required:true, \'validate-customer-password\':true}'
-            ).prop('disabled', false);
+            this._updatePasswordFieldWithEmailValue();
             $(this.options.confirmPasswordSelector).attr(
                 'data-validate',
                 '{required:true, equalTo:"' + this.options.newPasswordSelector + '"}'
@@ -119,6 +129,19 @@ define([
             $(this.options.emailContainerSelector).hide();
 
             $(this.options.emailSelector).removeAttr('data-validate').prop('disabled', true);
+        },
+
+        /**
+         * Update password validation rules with email input field value
+         * @private
+         */
+        _updatePasswordFieldWithEmailValue: function () {
+            $(this.options.newPasswordSelector).attr(
+                'data-validate',
+                '{required:true, ' +
+                '\'validate-customer-password\':true, ' +
+                '\'password-not-equal-to-user-name\':\'' + $(this.options.emailSelector).val() + '\'}'
+            ).prop('disabled', false);
         }
     });
 

app/code/Magento/Customer/view/frontend/web/js/password-strength-indicator.js

@@ -19,7 +19,9 @@ define([
             cache: {},
             passwordSelector: '[type=password]',
             passwordStrengthMeterSelector: '[data-role=password-strength-meter]',
-            passwordStrengthMeterLabelSelector: '[data-role=password-strength-meter-label]'
+            passwordStrengthMeterLabelSelector: '[data-role=password-strength-meter-label]',
+            formSelector: 'form',
+            emailSelector: 'input[type="email"]'
         },
 
         /**
@@ -30,11 +32,14 @@ define([
             this.options.cache.input = $(this.options.passwordSelector, this.element);
             this.options.cache.meter = $(this.options.passwordStrengthMeterSelector, this.element);
             this.options.cache.label = $(this.options.passwordStrengthMeterLabelSelector, this.element);
+
+            // We need to look outside the module for backward compatibility, since someone can already use the module.
+            this.options.cache.email = $(this.options.formSelector).find(this.options.emailSelector);
             this._bind();
         },
 
         /**
-         * Event binding, will monitor scroll and resize events (resize events left for backward compat)
+         * Event binding, will monitor change, keyup and paste events.
          * @private
          */
         _bind: function () {
@@ -43,6 +48,14 @@ define([
                 'keyup': this._calculateStrength,
                 'paste': this._calculateStrength
             });
+
+            if (this.options.cache.email.length) {
+                this._on(this.options.cache.email, {
+                    'change': this._calculateStrength,
+                    'keyup': this._calculateStrength,
+                    'paste': this._calculateStrength
+                });
+            }
         },
 
         /**
@@ -52,16 +65,25 @@ define([
         _calculateStrength: function () {
             var password = this._getPassword(),
                 isEmpty = password.length === 0,
-                zxcvbnScore = zxcvbn(password).score,
+                zxcvbnScore,
                 displayScore,
                 isValid;
 
             // Display score is based on combination of whether password is empty, valid, and zxcvbn strength
             if (isEmpty) {
                 displayScore = 0;
             } else {
-                isValid  = $.validator.validateSingleElement(this.options.cache.input);
-                displayScore = isValid ? zxcvbnScore : 1;
+                this.options.cache.input.rules('add', {
+                    'password-not-equal-to-user-name': this.options.cache.email.val()
+                });
+
+                if (password.toLowerCase() === this.options.cache.email.val().toLowerCase()) {
+                    displayScore = 1;
+                } else {
+                    isValid = $.validator.validateSingleElement(this.options.cache.input);
+                    zxcvbnScore = zxcvbn(password).score;
+                    displayScore = isValid ? zxcvbnScore : 1;
+                }
             }
 
             // Update label
@@ -75,32 +97,32 @@ define([
          */
         _displayStrength: function (displayScore) {
             var strengthLabel = '',
-                className = 'password-';
+                className;
 
             switch (displayScore) {
                 case 0:
                     strengthLabel = $t('No Password');
-                    className += 'none';
+                    className = 'password-none';
                     break;
 
                 case 1:
                     strengthLabel = $t('Weak');
-                    className += 'weak';
+                    className = 'password-weak';
                     break;
 
                 case 2:
                     strengthLabel = $t('Medium');
-                    className += 'medium';
+                    className = 'password-medium';
                     break;
 
                 case 3:
                     strengthLabel = $t('Strong');
-                    className += 'strong';
+                    className = 'password-strong';
                     break;
 
                 case 4:
                     strengthLabel = $t('Very Strong');
-                    className += 'very-strong';
+                    className = 'password-very-strong';
                     break;
             }