Permalink
Browse files

Trigger error when resetting password for user with empty email

When password reset is handled through verification e-mails, the
administrator should not be able to reset the password if the user's
e-mail is blank as the user won't receive the verification URL.

Fixes #15893
  • Loading branch information...
1 parent 43abda6 commit a1cb667d3f47b953bf4b4aa0c9db7cd551c8b483 @dregad dregad committed May 21, 2013
Showing with 5 additions and 1 deletion.
  1. +5 −1 core/user_api.php
View
@@ -1367,8 +1367,12 @@ function user_reset_password( $p_user_id, $p_send_email = true ) {
# and user_reset_password() )?
if(( ON == config_get( 'send_reset_password' ) ) && ( ON == config_get( 'enable_email_notification' ) ) ) {
- # Create random password
$t_email = user_get_field( $p_user_id, 'email' );
+ if( is_blank( $t_email ) ) {
+ trigger_error( ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR );
+ }
+
+ # Create random password
$t_password = auth_generate_random_password( $t_email );
$t_password2 = auth_process_plain_password( $t_password );

0 comments on commit a1cb667

Please sign in to comment.