mod_invites_register: Stricter validation of registration events This fixes two problems: 1) Account invites that were created with a specific username were not in fact restricted to that username. 2) Password reset invites were not restricted to resetting passwords, but could be used to create an arbitrary new account if the client or registration frontend (e.g. mod_invites_register_web) doesn't handle/enforce the username. This new validation ensures that registrations and resets are always for the username specified in the invitation.

author: Matthew Wild <mwild1@gmail.com>
date: Thu, 10 Apr 2025 16:07:32 +0100
parent: 13011:16b47c3b44f3
child: 13849:068e77bf91b9
--- a/plugins/mod_invites_register.lua	Thu Apr 10 11:21:13 2025 +0100
+++ b/plugins/mod_invites_register.lua	Thu Apr 10 16:07:32 2025 +0100
@@ -101,8 +101,20 @@
 		-- for this module to do...
 		return;
 	end
-	if validated_invite and validated_invite.additional_data and validated_invite.additional_data.allow_reset then
-		event.allow_reset = validated_invite.additional_data.allow_reset;
+	if validated_invite then
+		local username = validated_invite.username;
+		if username and username ~= event.username then
+			event.allowed = false;
+			event.reason = "The chosen username is not valid with this invitation";
+		end
+		local reset_username = validated_invite.additional_data and validated_invite.additional_data.allow_reset;
+		if reset_username then
+			if reset_username ~= event.username then
+				event.allowed = false;
+				event.reason = "Incorrect username for password reset";
+			end
+			event.allow_reset = reset_username;
+		end
 	end
 end);