From f5b94f152f076037ec59729b78c4d646516d0561 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 26 Jan 2022 10:39:58 +0200
Subject: [PATCH] FIX: Allow staff to reset passwords by username (#15709)

When staff visits the user profile of another user, the `email` field
in the model is empty. In this case, staff cannot send the reset email
password because nothing is passed in the `login` field.

This commit changes the behavior for staff users to allow resetting
password by username instead.
---
 app/assets/javascripts/discourse/app/models/user.js |  2 +-
 app/controllers/session_controller.rb               |  2 +-
 spec/requests/session_controller_spec.rb            | 10 ++++++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/discourse/app/models/user.js b/app/assets/javascripts/discourse/app/models/user.js
index f4e130a6381..83f36723b66 100644
--- a/app/assets/javascripts/discourse/app/models/user.js
+++ b/app/assets/javascripts/discourse/app/models/user.js
@@ -429,7 +429,7 @@ const User = RestModel.extend({
   changePassword() {
     return ajax("/session/forgot_password", {
       dataType: "json",
-      data: { login: this.email },
+      data: { login: this.email || this.username },
       type: "POST",
     });
   },
diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index e7e14544449..d24e3e9e03c 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -434,7 +434,7 @@ class SessionController < ApplicationController
     RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
     RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!
 
-    user = if SiteSetting.hide_email_address_taken
+    user = if SiteSetting.hide_email_address_taken && !current_user&.staff?
       raise Discourse::InvalidParameters.new(:login) if EmailValidator.email_regex !~ normalized_login_param
       User.real.where(staged: false).find_by_email(Email.downcase(normalized_login_param))
     else
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index 52c580ee386..be65aec5eb3 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -2072,6 +2072,16 @@ describe SessionController do
         expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
       end
 
+      it 'allows for username when staff' do
+        sign_in(Fabricate(:admin))
+
+        post "/session/forgot_password.json",
+          params: { login: user.username }
+
+        expect(response.status).to eq(200)
+        expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
+      end
+
       it 'allows for email' do
         post "/session/forgot_password.json",
           params: { login: user.email }