Restrict password reset requests to username

AlternC · Sep 29, 2023 · 5eac4b3 · 5eac4b3
1 parent b406202
commit 5eac4b3
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 15 deletions.
diff --git a/bureau/admin/request_reset.php b/bureau/admin/request_reset.php
@@ -4,7 +4,7 @@
 
 $request = FALSE;
 $valid_request = TRUE;
-if (isset($_REQUEST['name_or_email'])) {
+if (isset($_REQUEST['name'])) {
     $request = TRUE;
     // Inserted into the global namespace by config.php
     $valid_request = !$fatalcsrf;
@@ -19,7 +19,7 @@
 $show_form =  !$request || ($request && !$valid_request);
 
 if ($request && $valid_request) {
-    $mem->send_reset_url($_REQUEST['name_or_email']);
+    $mem->send_reset_url($_REQUEST['name']);
 }
 
 if (!isset($charset) || ! $charset) {
@@ -53,8 +53,8 @@
                             <form action="request_reset.php" method="post" name="passwordreset">
                                 <?php csrf_get(); ?>
                                 <div>
-                                    <label for="name_or_email"><?php echo _('Username or e-mail'); ?></label>
-                                    <input type="text" class="int" name="name_or_email">
+                                    <label for="name"><?php echo _('Username'); ?></label>
+                                    <input type="text" class="int" name="name">
                                 </div>
                                 <div class="submit"><input type="submit" class="inb" name="submit"></div>
                             </form>

diff --git a/bureau/class/m_mem.php b/bureau/class/m_mem.php
@@ -685,20 +685,19 @@ function session_tempo_params_set($k, $v, $ecrase = false) {
     /**
      * Sends a password-reset URL.
      */
-    public function send_reset_url($email_or_login) {
+    public function send_reset_url($login) {
         global $msg, $L_FQDN, $L_HOSTING, $db;
-        // Look up user by email_or_login.
-        $db->query("SELECT * FROM membres WHERE login = ? OR mail = ? ;", array($email_or_login, $email_or_login));
+        // Look up user by login.
+        // 'mail' is not a unique key so we can't rely on it.
+        $db->query("SELECT * FROM membres WHERE login = ? ;", array($login));
 
-        $msg->log('mem', 'send_reset_url', 'Password reset requested for: ' . $email_or_login);
+        $msg->log('mem', 'send_reset_url', 'Password reset requested for: ' . $login);
         // Give user feedback, even if we don't have an account stored.
         $msg->raise('INFO', 'mem', _('An e-mail with information on how to connect has been sent to the owner of the account if one exists'));
 
-        // It is possible here that a user could have multiple accounts for a
-        // single e-mail since 'mail' is not a uniqe key in the membres table.
-        // For the moment we'll just take the first account.
+        // Get the corresponding account.
         if (!$db->num_rows()) {
-            $msg->log('mem', 'send_reset_url', 'No member found with login or mail ' . $email_or_login);
+            $msg->log('mem', 'send_reset_url', 'No member found with login ' . $login);
             return FALSE;
         }
         if ($db->num_rows()) {
@@ -728,10 +727,10 @@ public function send_reset_url($email_or_login) {
     }
 
     /**
-     * Generate a reset URL for an account given it's e-mail or login.
+     * Generate a reset URL for an account given its login.
      *
-     * @param $email_or_login
-     *   A string with the email or login.
+     * @param $login
+     *   A string with the login.
      *
      * @returns string|boolean
      *   A reset URL or FALSE in case of error.