diff mod_invites_register_api/mod_invites_register_api.lua @ 4414:dbfa830e4504

mod_invites_register_api: Handle password resets Those need the information for whom they are in the GET response as well as special handling in the POST.
author Jonas Schäfer <jonas@wielicki.name>
date Sat, 30 Jan 2021 10:47:57 +0100
parents a1256e376dca
children
line wrap: on
line diff
--- a/mod_invites_register_api/mod_invites_register_api.lua	Sat Jan 30 07:19:35 2021 +0100
+++ b/mod_invites_register_api/mod_invites_register_api.lua	Sat Jan 30 10:47:57 2021 +0100
@@ -29,6 +29,7 @@
 		type = invite.type;
 		jid = invite.jid;
 		inviter = invite.inviter;
+		reset = invite.additional_data and invite.additional_data.allow_reset or nil;
 	});
 end
 
@@ -68,7 +69,13 @@
 		return 400;
 	end
 
-	if usermanager.user_exists(prepped_username, module.host) then
+	local reset_for = invite.additional_data and invite.additional_data.allow_reset or nil;
+	if reset_for ~= nil then
+		module:log("debug", "handling password reset invite for %s", reset_for)
+		if reset_for ~= prepped_username then
+			return 403; -- Attempt to use reset invite for incorrect user
+		end
+	elseif usermanager.user_exists(prepped_username, module.host) then
 		return 409; -- Conflict
 	end