Navigation Menu

Skip to content

Commit

Permalink
MDL-29000 multiple password reset issues
Browse files Browse the repository at this point in the history 
* stop abusing get_complete_user_data()
* fix case-sensitiveness in password reset for PG
* do not allow reset of disabled accounts
* propose a solution for non-unique emails
  • Loading branch information
@skodak @stronk7
skodak authored and stronk7 committed Aug 23, 2011
1 parent 9a529b0 commit 029e7f5
Showing 1 changed file with 16 additions and 3 deletions.
19 changes: 16 additions & 3 deletions login/forgot_password.php
View file
Expand Up @@ -65,7 +65,13 @@

update_login_count();

$user = get_complete_user_data('username', $p_username);
$user = $DB->get_record('user', array('username'=>$p_username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));

if ($user and ($user->auth === 'nologin' or !is_enabled_auth($user->auth))) {
// bad luck - user is not able to login, do not let them reset password
$user = false;
}

if (!empty($user) and $user->secret === '') {
echo $OUTPUT->header();
print_error('secretalreadyused');
Expand Down Expand Up @@ -120,10 +126,17 @@

// first try the username
if (!empty($data->username)) {
$user = get_complete_user_data('username', $data->username);
$username = textlib_get_instance()->strtolower($data->username); // mimic the login page process, if they forget username they need to use email for reset
$user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));

} else {
// this is tricky because
// 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the correct account for pw reset
// 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive

$user = get_complete_user_data('email', $data->email);
$select = $DB->sql_like('email', ':email', false, true, false, '|'). " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
$params = array('email'=>$DB->sql_like_escape($data->email, '|'), 'mnethostid'=>$CFG->mnet_localhost_id);
$user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
}

if ($user and !empty($user->confirmed)) {
Expand Down

0 comments on commit 029e7f5

Please sign in to comment.