mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-03 22:57:27 +02:00
Code Issues Releases Wiki Activity

Fail with exception in 'forgotPassword' if password reset is disabled

Browse Source
This commit is contained in:
Marco
2017-07-30 16:12:10 +02:00
parent c842fa9792
commit a3a28af2aa
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Auth.php
View File

@@ -654,6 +654,7 @@ final class Auth extends UserManager {
* @param int|null $maxOpenRequests (optional) the maximum number of unexpired and unused requests per user * @param int|null $maxOpenRequests (optional) the maximum number of unexpired and unused requests per user
* @throws InvalidEmailException if the email address was invalid or could not be found * @throws InvalidEmailException if the email address was invalid or could not be found
* @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email * @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email
* @throws ResetDisabledException if the user has explicitly disabled password resets for their account
* @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded * @throws TooManyRequestsException if the number of allowed attempts/requests has been exceeded
* @throws AuthError if an internal problem occurred (do *not* catch) * @throws AuthError if an internal problem occurred (do *not* catch)
*/ */
@@ -678,7 +679,7 @@ final class Auth extends UserManager {
$userData = $this->getUserDataByEmailAddress( $userData = $this->getUserDataByEmailAddress(
$email, $email,
[ 'id', 'verified' ] [ 'id', 'verified', 'resettable' ]
); );
// ensure that the account has been verified before initiating a password reset // ensure that the account has been verified before initiating a password reset
@@ -686,6 +687,11 @@ final class Auth extends UserManager {
throw new EmailNotVerifiedException(); throw new EmailNotVerifiedException();
} }
// do not allow a password reset if the user has explicitly disabled this feature
if ((int) $userData['resettable'] !== 1) {
throw new ResetDisabledException();
}
$openRequests = (int) $this->getOpenPasswordResetRequests($userData['id']); $openRequests = (int) $this->getOpenPasswordResetRequests($userData['id']);
if ($openRequests < $maxOpenRequests) { if ($openRequests < $maxOpenRequests) {