prosody
87dd8639f08f
util/adhoc.lua
Software / code / prosody
File
util/adhoc.lua @ 13843:87dd8639f08f 13.0
mod_invites_register: Stricter validation of registration events
This fixes two problems:
1) Account invites that were created with a specific username were not
in fact restricted to that username.
2) Password reset invites were not restricted to resetting passwords,
but could be used to create an arbitrary new account if the client
or registration frontend (e.g. mod_invites_register_web) doesn't
handle/enforce the username.
This new validation ensures that registrations and resets are always for the
username specified in the invitation.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 10 Apr 2025 16:07:32 +0100 |
| parent | 11352:e10567199f02 |
line wrap: on
line source
-- luacheck: ignore 212/self local function new_simple_form(form, result_handler) return function(self, data, state) if state or data.form then if data.action == "cancel" then return { status = "canceled" }; end local fields, err = form:data(data.form); return result_handler(fields, err, data); else return { status = "executing", actions = {"next", "complete", default = "complete"}, form = form }, "executing"; end end end local function new_initial_data_form(form, initial_data, result_handler) return function(self, data, state) if state or data.form then if data.action == "cancel" then return { status = "canceled" }; end local fields, err = form:data(data.form); return result_handler(fields, err, data); else local values, err = initial_data(data); if type(err) == "table" then return {status = "error"; error = err} elseif type(err) == "string" then return {status = "error"; error = {type = "cancel"; condition = "internal-server-error", err}} end return { status = "executing", actions = {"next", "complete", default = "complete"}, form = { layout = form, values = values } }, "executing"; end end end return { new_simple_form = new_simple_form, new_initial_data_form = new_initial_data_form };
