i would be useful to know who is trying to reset the password (misspelled username or email, ex user or some sort of attack)
Signed-off-by: NoSleep82 <52562874+NoSleep82@users.noreply.github.com>
- LostController has three endpoints
- door opener email() still rejects
- resetform(), reachable from mail, checks the token first and may report
that password reset is disabled
- setPassword() got its check removed as it is behind CSFR anyway and still
requires a valid token
- this allows special cases like activating a freshly created guest account
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fix Argument 1 passed to OC\Security\Crypto::decrypt() must be of the type string, null given
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
There is no need to log the expcetion of most of the stuff here.
We should properly log them but an exception is excessive.
This moves it to a proper exception which we can catch and then log.
The other exceptions will still be fully logged.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
When a password is reste we should make sure that all users are properly
logged in. Pending states should be cleared. For example a session where
the 2FA code is not entered yet should be cleared.
The token is now removed so the session will be killed the next time
this is checked (within 5 minutes).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
We use the same logic for creating accounts without a password and there the 12h is a bit short. Users don't expect that the signup link needs to be clicked within 12h - 7d should be a more expected behavior.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
When two or more user share the same email address its not possible to
reset password by email. Even when only one account is active.
This pr reduce list of users returned by getByEmail by disabled users.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
jld3103
Faraz Samapoor
Joas Schilling
Josh Richards
Côme Chilliet
NoSleep82
Thomas Citharel
Carl Schwan
Pytal
Arthur Schiwon
Gary Kim
John Molakvoæ (skjnldsv)
Christoph Wurst
Roeland Jago Douma
Daniel Kesselberg
Roeland Jago Douma
Julius Härtl
Morris Jobke
Bjoern Schiessle
Robin Appelman
Rémy Jacquin