From a3a28af2aabb7da47f11ee1d840c3895313cc123 Mon Sep 17 00:00:00 2001
From: Marco <marco1@live.de>
Date: Sun, 30 Jul 2017 16:12:10 +0200
Subject: [PATCH] Fail with exception in 'forgotPassword' if password reset is
 disabled

---
 src/Auth.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Auth.php b/src/Auth.php
index 485f2c2..a814580 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -654,6 +654,7 @@ final class Auth extends UserManager {
 	 * @param int|null $maxOpenRequests (optional) the maximum number of unexpired and unused requests per user
 	 * @throws InvalidEmailException if the email address was invalid or could not be found
 	 * @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email
+	 * @throws ResetDisabledException if the user has explicitly disabled password resets for their account
 	 * @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
@@ -678,7 +679,7 @@ final class Auth extends UserManager {
 
 		$userData = $this->getUserDataByEmailAddress(
 			$email,
-			[ 'id', 'verified' ]
+			[ 'id', 'verified', 'resettable' ]
 		);
 
 		// ensure that the account has been verified before initiating a password reset
@@ -686,6 +687,11 @@ final class Auth extends UserManager {
 			throw new EmailNotVerifiedException();
 		}
 
+		// do not allow a password reset if the user has explicitly disabled this feature
+		if ((int) $userData['resettable'] !== 1) {
+			throw new ResetDisabledException();
+		}
+
 		$openRequests = (int) $this->getOpenPasswordResetRequests($userData['id']);
 
 		if ($openRequests < $maxOpenRequests) {