From ff72b8d1b001cb214e7af7c039295927ee67c93e Mon Sep 17 00:00:00 2001
From: Petr Skoda <commits@skodak.org>
Date: Sat, 20 Aug 2011 19:21:25 +0200
Subject: [PATCH] MDL-29000 multiple password reset issues

* stop abusing get_complete_user_data()
* fix case-sensitiveness in password reset for PG
* do not allow reset of disabled accounts
* propose a solution for non-unique emails
---
 login/forgot_password.php | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/login/forgot_password.php b/login/forgot_password.php
index 0608d76f0e1..f5fc673d1c7 100644
--- a/login/forgot_password.php
+++ b/login/forgot_password.php
@@ -65,7 +65,13 @@ if ($p_secret !== false) {
 
     update_login_count();
 
-    $user = get_complete_user_data('username', $p_username);
+    $user = $DB->get_record('user', array('username'=>$p_username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
+
+    if ($user and ($user->auth === 'nologin' or !is_enabled_auth($user->auth))) {
+        // bad luck - user is not able to login, do not let them reset password
+        $user = false;
+    }
+
     if (!empty($user) and $user->secret === '') {
         echo $OUTPUT->header();
         print_error('secretalreadyused');
@@ -120,10 +126,17 @@ if ($mform->is_cancelled()) {
 
     // first try the username
     if (!empty($data->username)) {
-        $user = get_complete_user_data('username', $data->username);
-    } else {
+        $username = textlib_get_instance()->strtolower($data->username); // mimic the login page process, if they forget username they need to use email for reset
+        $user = $DB->get_record('user', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>0, 'suspended'=>0));
 
-        $user = get_complete_user_data('email', $data->email);
+    } else {
+        // this is tricky because
+        // 1/ the email is not guaranteed to be unique - TODO: send email with all usernames to select the correct account for pw reset
+        // 2/ mailbox may be case sensitive, the email domain is case insensitive - let's pretend it is all case-insensitive
+
+        $select = $DB->sql_like('email', ':email', false, true, false, '|'). " AND mnethostid = :mnethostid AND deleted=0 AND suspended=0";
+        $params = array('email'=>$DB->sql_like_escape($data->email, '|'), 'mnethostid'=>$CFG->mnet_localhost_id);
+        $user = $DB->get_record_select('user', $select, $params, '*', IGNORE_MULTIPLE);
     }
 
     if ($user and !empty($user->confirmed)) {