Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Prefer email when resetting password (#15650) 

The UI used to request a password reset by username when the user was
logged in. This did not work when hide_email_already_taken site setting
was enabled, which disables the lookup-by-username functionality.

This commit also introduces a check to ensure that the parameter is an
email when hide_email_already_taken is enabled as the single allowed
type is email (no usernames are allowed).
This commit is contained in:
Dan Ungureanu 2022-01-20 10:04:45 +02:00 committed by GitHub
parent f5ea00c73f
commit 5b7bddf966
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/app/models/user.js
View File

@ -429,7 +429,7 @@ const User = RestModel.extend({
changePassword() { changePassword() {
return ajax("/session/forgot_password", { return ajax("/session/forgot_password", {
dataType: "json", dataType: "json",
data: { login: this.username }, data: { login: this.email },
type: "POST", type: "POST",
}); });
}, },

22
app/controllers/session_controller.rb
View File

@ -434,32 +434,24 @@ class SessionController < ApplicationController
RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed! RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed! RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!
if SiteSetting.hide_email_address_taken user = if SiteSetting.hide_email_address_taken
user = User.find_by_email(Email.downcase(normalized_login_param)) raise Discourse::InvalidParameters.new(:login) if EmailValidator.email_regex !~ normalized_login_param
User.real.where(staged: false).find_by_email(Email.downcase(normalized_login_param))
else else
user = User.find_by_username_or_email(normalized_login_param) User.real.where(staged: false).find_by_username_or_email(normalized_login_param)
end end
if user if user
RateLimiter.new(nil, "forgot-password-login-day-#{user.username}", 6, 1.day).performed! RateLimiter.new(nil, "forgot-password-login-day-#{user.username}", 6, 1.day).performed!
email_token = user.email_tokens.create!(email: user.email, scope: EmailToken.scopes[:password_reset])
Jobs.enqueue(:critical_user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
else else
RateLimiter.new(nil, "forgot-password-login-hour-#{normalized_login_param}", 5, 1.hour).performed! RateLimiter.new(nil, "forgot-password-login-hour-#{normalized_login_param}", 5, 1.hour).performed!
end end
user_presence = user.present? && user.human? && !user.staged
if user_presence
email_token = user.email_tokens.create!(email: user.email, scope: EmailToken.scopes[:password_reset])
Jobs.enqueue(:critical_user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
end
json = success_json json = success_json
json[:user_found] = user.present? if !SiteSetting.hide_email_address_taken
if !SiteSetting.hide_email_address_taken
json[:user_found] = user_presence
end
render json: json render json: json
rescue RateLimiter::LimitExceeded rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down")) render_json_error(I18n.t("rate_limiter.slow_down"))
end end

2
spec/requests/session_controller_spec.rb
View File

@ -2068,7 +2068,7 @@ describe SessionController do
post "/session/forgot_password.json", post "/session/forgot_password.json",
params: { login: user.username } params: { login: user.username }
expect(response.status).to eq(200) expect(response.status).to eq(400)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(0) expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
end end