Project

General

Profile

Actions
Copy link

Bug #97784

closed

Password Recovery does not work because FrontendUserRepository does not respect storage pages

Added by B. Kausch over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2022-06-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
8.0
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Currently it is not possible to hold users with the same email address in different storage pids and recovery their password. What happens?

https://forge.typo3.org/projects/typo3cms-core/repository/1749/revisions/master/entry/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php#L85

An email address is fetched - here the storage pids are still respected.

But the next database query happens here: https://forge.typo3.org/projects/typo3cms-core/repository/1749/revisions/master/entry/typo3/sysext/felogin/Classes/Domain/Repository/FrontendUserRepository.php#L114

The problem is clear: the email address is used as an indentifier and the where clause does not implement respect for storage pages. So it can potentially happen that many users in different pids will get the same forgot hash. Of course the password resetting in this case will end in chaos.

Every query in the FrontendUserRepository should respect the storage pages!

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #95132: felogin forgot password with email address - the felogin_forgotHash will be set for all fe_users with the same eMail addressClosedTorben Hansen2021-09-07

Actions
Actions
Copy link

Also available in: Atom PDF