Merge pull request #4809 from nextcloud/downstream-27676

Disable reset password link

config/config.sample.php

@@ -253,6 +253,7 @@
  * read-only user backend like LDAP), you can specify a custom link, where the
  * user is redirected to, when clicking the "reset password" link after a failed
  * login-attempt.
+ * In case you do not want to provide any link, replace the url with 'disabled'
  */
 'lost_password_link' => 'https://example.org/link/to/password/reset',
 

core/Controller/LoginController.php

@@ -159,6 +159,8 @@ public function showLoginForm($user, $redirect_url, $remember_login) {
 					$parameters['canResetPassword'] = $userObj->canChangePassword();
 				}
 			}
+		} elseif ($parameters['resetPasswordLink'] === 'disabled') {
+			$parameters['canResetPassword'] = false;
 		}
 
 		$parameters['alt_login'] = OC_App::getAlternativeLogIns();

core/Controller/LostController.php

@@ -131,6 +131,14 @@ public function __construct($appName,
 	 * @return TemplateResponse
 	 */
 	public function resetform($token, $userId) {
+		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+			return new TemplateResponse('core', 'error', [
+					'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
+				],
+				'guest'
+			);
+		}
+
 		try {
 			$this->checkPasswordResetToken($token, $userId);
 		} catch (\Exception $e) {
@@ -211,6 +219,10 @@ private function success() {
 	 * @return JSONResponse
 	 */
 	public function email($user){
+		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+			return new JSONResponse($this->error($this->l10n->t('Password reset is disabled')));
+		}
+
 		// FIXME: use HTTP error codes
 		try {
 			$this->sendEmail($user);
@@ -234,6 +246,10 @@ public function email($user){
 	 * @return array
 	 */
 	public function setPassword($token, $userId, $password, $proceed) {
+		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
+			return $this->error($this->l10n->t('Password reset is disabled'));
+		}
+
 		if ($this->encryptionManager->isEnabled() && !$proceed) {
 			return $this->error('', array('encryption' => true));
 		}

core/js/lostpassword.js

@@ -22,7 +22,9 @@ OC.Lostpassword = {
 		if (!$('#user').val().length){
 			$('#submit').trigger('click');
 		} else {
-			if (OC.config.lost_password_link) {
+			if (OC.config.lost_password_link === 'disabled') {
+				return;
+			} else if (OC.config.lost_password_link) {
 				window.location = OC.config.lost_password_link;
 			} else {
 				$.post(

tests/Core/Controller/LostControllerTest.php

@@ -86,9 +86,13 @@ protected function setUp() {
 			->willReturn('ExistingUser');
 
 		$this->config = $this->createMock(IConfig::class);
-		$this->config->method('getSystemValue')
-			->with('secret', null)
-			->willReturn('SECRET');
+		$this->config->expects($this->any())
+			->method('getSystemValue')
+			->willReturnMap([
+				['secret', null, 'SECRET'],
+				['secret', '', 'SECRET'],
+				['lost_password_link', '', ''],
+			]);
 		$this->l10n = $this->createMock(IL10N::class);
 		$this->l10n
 			->expects($this->any())
@@ -347,10 +351,6 @@ public function testEmailSuccessful() {
 			->method('send')
 			->with($message);
 
-		$this->config->method('getSystemValue')
-			->with('secret', '')
-			->willReturn('SECRET');
-
 		$this->crypto->method('encrypt')
 			->with(
 				$this->equalTo('12348:ThisIsMaybeANotSoSecretToken!'),
@@ -434,10 +434,6 @@ public function testEmailWithMailSuccessful() {
 			->method('send')
 			->with($message);
 
-		$this->config->method('getSystemValue')
-			->with('secret', '')
-			->willReturn('SECRET');
-
 		$this->crypto->method('encrypt')
 			->with(
 				$this->equalTo('12348:ThisIsMaybeANotSoSecretToken!'),
@@ -516,10 +512,6 @@ public function testEmailCantSendException() {
 			->with($message)
 			->will($this->throwException(new \Exception()));
 
-		$this->config->method('getSystemValue')
-			->with('secret', '')
-			->willReturn('SECRET');
-
 		$this->crypto->method('encrypt')
 			->with(
 				$this->equalTo('12348:ThisIsMaybeANotSoSecretToken!'),