MDL-71068 login: Fix edge cases with $CFG->protectusernames

2025-04-21 00:12:56 +02:00 · 2021-03-17 17:37:29 +11:00 · 2021-03-17 17:37:29 +11:00 · 7a825b659c
commit 7a825b659c
parent fc335f5ea0
3 changed files with 33 additions and 12 deletions
--- a/lang/en/moodle.php
+++ b/lang/en/moodle.php
@ -683,7 +683,7 @@ line at the top of your web browser window.
 If you need help, please contact the site administrator,
 {$a->admin}';
 $string['emailpasswordconfirmationsubject'] = '{$a}: Change password confirmation';
-$string['emailpasswordconfirmmaybesent'] = '<p>If you supplied a correct username or email address then an email should have been sent to you.</p>
+$string['emailpasswordconfirmmaybesent'] = '<p>If you supplied a correct username or unique email address then an email should have been sent to you.</p>
   <p>It contains easy instructions to confirm and complete this password change.
 If you continue to have difficulty, please contact the site administrator.</p>';
 $string['emailpasswordconfirmnoemail'] = '<p>The user account you specified does not have a recorded email address.</p>
--- a/login/lib.php
+++ b/login/lib.php
@ -387,7 +387,9 @@ function core_login_validate_forgot_password_data($data) {
                $user = get_complete_user_data('email', $data['email'], null, true);
                if (empty($user->confirmed)) {
                    send_confirmation_email($user);
-                    $errors['email'] = get_string('confirmednot');
+                    if (empty($CFG->protectusernames)) {
+                        $errors['email'] = get_string('confirmednot');
+                    }
                }
            } catch (dml_missing_record_exception $missingexception) {
                // User not found. Show error when $CFG->protectusernames is turned off.
@ -396,7 +398,9 @@ function core_login_validate_forgot_password_data($data) {
                }
            } catch (dml_multiple_records_exception $multipleexception) {
                // Multiple records found. Ask the user to enter a username instead.
-                $errors['email'] = get_string('forgottenduplicate');
+                if (empty($CFG->protectusernames)) {
+                    $errors['email'] = get_string('forgottenduplicate');
+                }
            }
        }

@ -404,7 +408,9 @@ function core_login_validate_forgot_password_data($data) {
        if ($user = get_complete_user_data('username', $data['username'])) {
            if (empty($user->confirmed)) {
                send_confirmation_email($user);
-                $errors['email'] = get_string('confirmednot');
+                if (empty($CFG->protectusernames)) {
+                    $errors['username'] = get_string('confirmednot');
+                }
            }
        }
        if (!$user and empty($CFG->protectusernames)) {
--- a/login/tests/lib_test.php
+++ b/login/tests/lib_test.php
@ -257,24 +257,34 @@ class core_login_lib_testcase extends advanced_testcase {
                ['username' => get_string('usernamenotfound')],
                ['protectusernames' => 0]
            ],
-            'Valid username, unconfirmed username' => [
+            'Valid username, unconfirmed username, username protection on' => [
                ['username' => 's1'],
-                ['email' => get_string('confirmednot')],
+                [],
                ['confirmed' => 0]
            ],
            'Invalid email' => [
                ['email' => 's1-example.com'],
                ['email' => get_string('invalidemail')]
            ],
-            'Multiple accounts with the same email' => [
+            'Multiple accounts with the same email, username protection on' => [
                ['email' => 's1@example.com'],
-                ['email' => get_string('forgottenduplicate')],
+                [],
                ['allowaccountssameemail' => 1]
            ],
-            'Multiple accounts with the same email but with different case' => [
+            'Multiple accounts with the same email, username protection off' => [
+                ['email' => 's1@example.com'],
+                ['email' => get_string('forgottenduplicate')],
+                ['allowaccountssameemail' => 1, 'protectusernames' => 0]
+            ],
+            'Multiple accounts with the same email but with different case, username protection is on' => [
+                ['email' => 'S1@EXAMPLE.COM'],
+                [],
+                ['allowaccountssameemail' => 1]
+            ],
+            'Multiple accounts with the same email but with different case, username protection is off' => [
                ['email' => 'S1@EXAMPLE.COM'],
                ['email' => get_string('forgottenduplicate')],
-                ['allowaccountssameemail' => 1]
+                ['allowaccountssameemail' => 1, 'protectusernames' => 0]
            ],
            'Non-existent email, username protection on' => [
                ['email' => 's2@example.com']
@ -290,10 +300,15 @@ class core_login_lib_testcase extends advanced_testcase {
            'Valid email, different case' => [
                ['email' => 'S1@EXAMPLE.COM']
            ],
-            'Valid email, unconfirmed user' => [
+            'Valid email, unconfirmed user, username protection is on' => [
+                ['email' => 's1@example.com'],
+                [],
+                ['confirmed' => 0]
+            ],
+            'Valid email, unconfirmed user, username protection is off' => [
                ['email' => 's1@example.com'],
                ['email' => get_string('confirmednot')],
-                ['confirmed' => 0]
+                ['confirmed' => 0, 'protectusernames' => 0]
            ],
        ];
    }