From dc1e192eacdebaa8e9419b90756c21616a183d74 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 28 Aug 2015 03:38:55 +0930
Subject: [PATCH] Allow non-admins to reset their password

The EditUser command requires the actor to have the "edit" permission,
which is only granted to admins. We don't want to allow users to change
their own password via the API, though. So instead of dispatching the
command, we'll just update the user's password directly in the action.
---
 .../src/Forum/Actions/SavePasswordAction.php  | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/framework/core/src/Forum/Actions/SavePasswordAction.php b/framework/core/src/Forum/Actions/SavePasswordAction.php
index f4e978622..c39007246 100644
--- a/framework/core/src/Forum/Actions/SavePasswordAction.php
+++ b/framework/core/src/Forum/Actions/SavePasswordAction.php
@@ -13,24 +13,10 @@ namespace Flarum\Forum\Actions;
 use Flarum\Core\Users\PasswordToken;
 use Flarum\Core\Users\Commands\EditUser;
 use Flarum\Support\Action;
-use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface as Request;
 
 class SavePasswordAction extends Action
 {
-    /**
-     * @var Dispatcher
-     */
-    protected $bus;
-
-    /**
-     * @param Dispatcher $bus
-     */
-    public function __construct(Dispatcher $bus)
-    {
-        $this->bus = $bus;
-    }
-
     /**
      * @param Request $request
      * @param array $routeParams
@@ -49,9 +35,8 @@ class SavePasswordAction extends Action
             return $this->redirectTo('/reset/'.$token->id); // TODO: Use UrlGenerator
         }
 
-        $this->bus->dispatch(
-            new EditUser($token->user_id, $token->user, ['attributes' => ['password' => $password]])
-        );
+        $token->user->changePassword($password);
+        $token->user->save();
 
         $token->delete();