# HG changeset patch # User Matthew Wild # Date 1744297652 -3600 # Node ID 87dd8639f08f6c5a4cf85679c90611abf0ea0568 # Parent d01cfbb7fc4ff26a9f11b2ffcd5787ae08608bb3 mod_invites_register: Stricter validation of registration events This fixes two problems: 1) Account invites that were created with a specific username were not in fact restricted to that username. 2) Password reset invites were not restricted to resetting passwords, but could be used to create an arbitrary new account if the client or registration frontend (e.g. mod_invites_register_web) doesn't handle/enforce the username. This new validation ensures that registrations and resets are always for the username specified in the invitation. diff -r d01cfbb7fc4f -r 87dd8639f08f plugins/mod_invites_register.lua --- a/plugins/mod_invites_register.lua Thu Apr 10 11:21:13 2025 +0100 +++ b/plugins/mod_invites_register.lua Thu Apr 10 16:07:32 2025 +0100 @@ -101,8 +101,20 @@ -- for this module to do... return; end - if validated_invite and validated_invite.additional_data and validated_invite.additional_data.allow_reset then - event.allow_reset = validated_invite.additional_data.allow_reset; + if validated_invite then + local username = validated_invite.username; + if username and username ~= event.username then + event.allowed = false; + event.reason = "The chosen username is not valid with this invitation"; + end + local reset_username = validated_invite.additional_data and validated_invite.additional_data.allow_reset; + if reset_username then + if reset_username ~= event.username then + event.allowed = false; + event.reason = "Incorrect username for password reset"; + end + event.allow_reset = reset_username; + end end end);