[Reset Password] Make endpoint available without authentication (#1520)

lukmzig · stunnerparas · commit 96822e5439e6 · 2025-11-18T15:47:45.000Z
* make reset password endpoint public

* update docs
diff --git a/doc/00_Installation.md b/doc/00_Installation.md
@@ -26,7 +26,7 @@ security:
     firewalls: 
         pimcore_studio: '%pimcore_studio_backend.firewall_settings%'
     access_control:
-      - { path: ^/pimcore-studio/api/(docs|docs/json|translations)$, roles: PUBLIC_ACCESS }
+      - { path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password)$, roles: PUBLIC_ACCESS }
       - { path: ^/pimcore-studio/api, roles: ROLE_PIMCORE_USER }
 ```
 
diff --git a/src/Security/Voter/PublicAuthorizationVoter.php b/src/Security/Voter/PublicAuthorizationVoter.php
@@ -33,9 +33,16 @@ final class PublicAuthorizationVoter extends Voter
     use RequestTrait;
     use PublicTranslationTrait;
 
-    private const SUPPORTED_ATTRIBUTE = 'PUBLIC_STUDIO_API';
+    private const string SUPPORTED_ATTRIBUTE = 'PUBLIC_STUDIO_API';
 
-    private const SUPPORTED_SUBJECTS = ['translation'];
+    private const string TRANSLATION_SUBJECT = 'translation';
+
+    private const string RESET_PASSWORD_SUBJECT = 'resetPassword';
+
+    private const array SUPPORTED_SUBJECTS = [
+        self::TRANSLATION_SUBJECT,
+        self::RESET_PASSWORD_SUBJECT,
+    ];
 
     public function __construct(
         private readonly RequestStack $requestStack,
@@ -70,7 +77,8 @@ protected function voteOnAttribute(string $attribute, mixed $subject, TokenInter
     private function voteOnRequest(Request $request, string $subject): bool
     {
         return match ($subject) {
-            'translation' => $this->voteOnTranslation($request->getPayload()),
+            self::TRANSLATION_SUBJECT => $this->voteOnTranslation($request->getPayload()),
+            self::RESET_PASSWORD_SUBJECT => true,
             default => false,
         };
     }
diff --git a/src/User/Controller/ResetPasswordController.php b/src/User/Controller/ResetPasswordController.php
@@ -28,6 +28,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Attribute\MapRequestPayload;
 use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -46,6 +47,7 @@ public function __construct(
      * @throws RateLimitException|DomainConfigurationException|SendMailException
      */
     #[Route('/user/reset-password', name: 'pimcore_studio_api_user_reset_password', methods: ['POST'])]
+    #[IsGranted(self::VOTER_PUBLIC_STUDIO_API, 'resetPassword')]
     #[Post(
         path: self::PREFIX . '/user/reset-password',
         operationId: 'user_reset_password',
