Permalink
Browse files

MDL-29000 multiple password reset issues

* stop abusing get_complete_user_data()
* fix case-sensitiveness in password reset for PG
* do not allow reset of disabled accounts
* propose a solution for non-unique emails
  • Loading branch information...
1 parent 9a529b0 commit 029e7f5eae7a884f7c6a978cd8cdcca7af836858 @skodak skodak committed with stronk7 Aug 20, 2011
Showing with 16 additions and 3 deletions.
  1. +16 −3 login/forgot_password.php
View
@@ -65,7 +65,13 @@
update_login_count();
- $user = get_complete_user_data('username', $p_username);
+ $user = $DB->get_record('user', array('username'=>$p_username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
+
+ if ($user and ($user->auth === 'nologin' or !is_enabled_auth($user->auth))) {
+ // bad luck - user is not able to login, do not let them reset password
+ $user = false;
+ }
+
if (!empty($user) and $user->secret === '') {
echo $OUTPUT->header();
print_error('secretalreadyused');
@@ -120,10 +126,17 @@
// first try the username
if (!empty($data->username)) {
- $user = get_complete_user_data('username', $data->username);
+ $username = textlib_get_instance()->strtolower($data->username); // mimic the login page process, if they forget username they need to use email for reset
+ $user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
+
} else {
+ // this is tricky because
+ // 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the correct account for pw reset
+ // 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive
- $user = get_complete_user_data('email', $data->email);
+ $select = $DB->sql_like('email', ':email', false, true, false, '|'). " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
+ $params = array('email'=>$DB->sql_like_escape($data->email, '|'), 'mnethostid'=>$CFG->mnet_localhost_id);
+ $user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
}
if ($user and !empty($user->confirmed)) {

0 comments on commit 029e7f5

Please sign in to comment.