From d5c6d56170aa4432db930a92436b7c997d5003fd Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Fri, 18 Aug 2017 13:03:40 +0200 Subject: [PATCH] No password reset for disabled users Signed-off-by: Joas Schilling --- core/Controller/LostController.php | 15 ++++++++-- tests/Core/Controller/LostControllerTest.php | 29 ++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 59a4e0b253..d23a6c2970 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -167,7 +167,7 @@ class LostController extends Controller { */ protected function checkPasswordResetToken($token, $userId) { $user = $this->userManager->get($userId); - if($user === null) { + if($user === null || !$user->isEnabled()) { throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid')); } @@ -340,16 +340,25 @@ class LostController extends Controller { /** * @param string $input * @return IUser - * @throws \Exception + * @throws \InvalidArgumentException */ protected function findUserByIdOrMail($input) { $user = $this->userManager->get($input); if ($user instanceof IUser) { + if (!$user->isEnabled()) { + throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')); + } + return $user; } $users = $this->userManager->getByEmail($input); if (count($users) === 1) { - return $users[0]; + $user = $users[0]; + if (!$user->isEnabled()) { + throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')); + } + + return $user; } throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.')); diff --git a/tests/Core/Controller/LostControllerTest.php b/tests/Core/Controller/LostControllerTest.php index ef419e40b4..0bdc11f8a2 100644 --- a/tests/Core/Controller/LostControllerTest.php +++ b/tests/Core/Controller/LostControllerTest.php @@ -84,6 +84,9 @@ class LostControllerTest extends \Test\TestCase { $this->existingUser->expects($this->any()) ->method('getUID') ->willReturn('ExistingUser'); + $this->existingUser->expects($this->any()) + ->method('isEnabled') + ->willReturn(true); $this->config = $this->createMock(IConfig::class); $this->config->expects($this->any()) @@ -684,8 +687,34 @@ class LostControllerTest extends \Test\TestCase { $this->assertSame($expectedResponse, $response); } + public function testSetPasswordForDisabledUser() { + $user = $this->createMock(IUser::class); + $user->expects($this->any()) + ->method('isEnabled') + ->willReturn(false); + $user->expects($this->never()) + ->method('setPassword'); + + $this->config->method('getUserValue') + ->with('ValidTokenUser', 'core', 'lostpassword', null) + ->willReturn('encryptedData'); + $this->userManager->method('get') + ->with('DisabledUser') + ->willReturn($this->existingUser); + + $response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'DisabledUser', 'NewPassword', true); + $expectedResponse = [ + 'status' => 'error', + 'msg' => 'Couldn\'t reset password because the token is invalid' + ]; + $this->assertSame($expectedResponse, $response); + } + public function testSendEmailNoEmail() { $user = $this->createMock(IUser::class); + $user->expects($this->any()) + ->method('isEnabled') + ->willReturn(true); $this->userManager->method('userExists') ->with('ExistingUser') ->willReturn(true);