Software / code / prosody
Changeset
13843:87dd8639f08f 13.0
mod_invites_register: Stricter validation of registration events
This fixes two problems:
1) Account invites that were created with a specific username were not
in fact restricted to that username.
2) Password reset invites were not restricted to resetting passwords,
but could be used to create an arbitrary new account if the client
or registration frontend (e.g. mod_invites_register_web) doesn't
handle/enforce the username.
This new validation ensures that registrations and resets are always for the
username specified in the invitation.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 10 Apr 2025 16:07:32 +0100 |
| parents | 13841:d01cfbb7fc4f |
| children | 13844:bb15cbb856a1 13845:2558be2daaca |
| files | plugins/mod_invites_register.lua |
| diffstat | 1 files changed, 14 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_invites_register.lua Thu Apr 10 11:21:13 2025 +0100 +++ b/plugins/mod_invites_register.lua Thu Apr 10 16:07:32 2025 +0100 @@ -101,8 +101,20 @@ -- for this module to do... return; end - if validated_invite and validated_invite.additional_data and validated_invite.additional_data.allow_reset then - event.allow_reset = validated_invite.additional_data.allow_reset; + if validated_invite then + local username = validated_invite.username; + if username and username ~= event.username then + event.allowed = false; + event.reason = "The chosen username is not valid with this invitation"; + end + local reset_username = validated_invite.additional_data and validated_invite.additional_data.allow_reset; + if reset_username then + if reset_username ~= event.username then + event.allowed = false; + event.reason = "Incorrect username for password reset"; + end + event.allow_reset = reset_username; + end end end);
