From a843d3c5db44e1c5646980f7f7d6442f4c7dcce9 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Fri, 10 Sep 2021 22:40:10 +0200
Subject: [PATCH] allow using of disabled password reset mechanism for special
 cases

- LostController has three endpoints
- door opener email() still rejects
- resetform(), reachable from mail, checks the token first and may report
  that password reset is disabled
- setPassword() got its check removed as it is behind CSFR anyway and still
  requires a valid token
- this allows special cases like activating a freshly created guest account

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
---
 core/Controller/LostController.php | 32 ++++++++++++++----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index cee3837ac5a..39b09c7fb63 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -134,22 +134,24 @@ class LostController extends Controller {
 	 * @return TemplateResponse
 	 */
 	public function resetform($token, $userId) {
-		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
-			return new TemplateResponse('core', 'error', [
-				'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
-			],
-				'guest'
-			);
-		}
-
 		try {
 			$this->checkPasswordResetToken($token, $userId);
 		} catch (\Exception $e) {
-			return new TemplateResponse(
-				'core', 'error', [
-					"errors" => [["error" => $e->getMessage()]]
-				],
-				'guest'
+			if ($this->config->getSystemValue('lost_password_link', '') !== 'disabled'
+				|| ($e instanceof InvalidTokenException
+					&& !in_array($e->getCode(), [InvalidTokenException::TOKEN_NOT_FOUND, InvalidTokenException::USER_UNKNOWN]))
+			) {
+				return new TemplateResponse(
+					'core', 'error', [
+						"errors" => [["error" => $e->getMessage()]]
+					],
+					TemplateResponse::RENDER_AS_GUEST
+				);
+			}
+			return new TemplateResponse('core', 'error', [
+				'errors' => [['error' => $this->l10n->t('Password reset is disabled')]]
+			],
+				TemplateResponse::RENDER_AS_GUEST
 			);
 		}
 		$this->initialStateService->provideInitialState('core', 'resetPasswordUser', $userId);
@@ -241,10 +243,6 @@ class LostController extends Controller {
 	 * @return array
 	 */
 	public function setPassword($token, $userId, $password, $proceed) {
-		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
-			return $this->error($this->l10n->t('Password reset is disabled'));
-		}
-
 		if ($this->encryptionManager->isEnabled() && !$proceed) {
 			$encryptionModules = $this->encryptionManager->getEncryptionModules();
 			foreach ($encryptionModules as $module) {
-- 
2.39.5