Skip to content

allow using of disabled password reset mechanism for special cases #28794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Pytal merged 1 commit into from
Sep 15, 2021
Merged

allow using of disabled password reset mechanism for special cases #28794

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
allow using of disabled password reset mechanism for special cases 
- LostController has three endpoints
- door opener email() still rejects
- resetform(), reachable from mail, checks the token first and may report
  that password reset is disabled
- setPassword() got its check removed as it is behind CSFR anyway and still
  requires a valid token
- this allows special cases like activating a freshly created guest account

Signed-off-by: Arthur Schiwon <[email protected]>
  • Loading branch information
@blizzz
blizzz committed Sep 10, 2021
commit a843d3c5db44e1c5646980f7f7d6442f4c7dcce9
32 changes: 15 additions & 17 deletions core/Controller/LostController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,22 +134,24 @@ public function __construct(
* @return TemplateResponse
*/
public function resetform($token, $userId) {
if ($this->config->getSystemValue('lost_password_link', '') !== '') {
return new TemplateResponse('core', 'error', [
'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
],
'guest'
);
}

try {
$this->checkPasswordResetToken($token, $userId);
} catch (\Exception $e) {
return new TemplateResponse(
'core', 'error', [
"errors" => [["error" => $e->getMessage()]]
],
'guest'
if ($this->config->getSystemValue('lost_password_link', '') !== 'disabled'
|| ($e instanceof InvalidTokenException
&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
) {
return new TemplateResponse(
'core', 'error', [
"errors" => [["error" => $e->getMessage()]]
],
TemplateResponse::RENDER_AS_GUEST
);
}
return new TemplateResponse('core', 'error', [
'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
],
TemplateResponse::RENDER_AS_GUEST
);
}
$this->initialStateService->provideInitialState('core', 'resetPasswordUser', $userId);
Expand Down Expand Up @@ -241,10 +243,6 @@ public function email($user) {
* @return array
*/
public function setPassword($token, $userId, $password, $proceed) {
if ($this->config->getSystemValue('lost_password_link', '') !== '') {
return $this->error($this->l10n->t('Password reset is disabled'));
}

if ($this->encryptionManager->isEnabled() && !$proceed) {
$encryptionModules = $this->encryptionManager->getEncryptionModules();
foreach ($encryptionModules as $module) {
Expand Down