Bug #97784
closedPassword Recovery does not work because FrontendUserRepository does not respect storage pages
0%
Description
Currently it is not possible to hold users with the same email address in different storage pids and recovery their password. What happens?
An email address is fetched - here the storage pids are still respected.
But the next database query happens here: https://forge.typo3.org/projects/typo3cms-core/repository/1749/revisions/master/entry/typo3/sysext/felogin/Classes/Domain/Repository/FrontendUserRepository.php#L114
The problem is clear: the email address is used as an indentifier and the where clause does not implement respect for storage pages. So it can potentially happen that many users in different pids will get the same forgot hash. Of course the password resetting in this case will end in chaos.
Every query in the FrontendUserRepository should respect the storage pages!
Updated by Torben Hansen over 2 years ago
- Related to Bug #95132: felogin forgot password with email address - the felogin_forgotHash will be set for all fe_users with the same eMail address added
Updated by Torben Hansen over 2 years ago
- Status changed from Accepted to Closed
I'm closing the issue, since it is a duplicate of #95132