Merge pull request #215 from dachcom-digital/access_check

BranchJedi · web-flow · commit ca7164ffdaf8 · 2025-10-03T10:51:13.000+02:00
Account check before Password Reset
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -2,6 +2,7 @@
 
 ## 5.1.2
 - **[BUGFIX]**: Fix interface compatibility [#216](https://github.com/dachcom-digital/pimcore-members/issues/216)
+- **[IMPROVEMENT]**: Account check before password reset
 
 ## 5.1.1
 - **[BUGFIX]**: Fix chunked serving of protected video assets [#214](https://github.com/dachcom-digital/pimcore-members/pull/214)
diff --git a/src/EventListener/ResettingListener.php b/src/EventListener/ResettingListener.php
@@ -60,7 +60,19 @@ public function onResettingResetSuccess(FormEvent $event): void
 
     public function onResettingResetRequest(GetResponseUserEvent $event): void
     {
-        if (!$event->getUser()->isAccountNonLocked()) {
+        $user = $event->getUser();
+
+        if (!$user instanceof UserInterface) {
+            return;
+        }
+
+        if (!$user->isAccountNonLocked()) {
+            $event->setResponse(new RedirectResponse($this->router->generate('members_user_resetting_request')));
+
+            return;
+        }
+
+        if ($user->getConfirmationToken() !== null) {
             $event->setResponse(new RedirectResponse($this->router->generate('members_user_resetting_request')));
         }
     }
diff --git a/tests/Functional/Frontend/Form/RegisterFormCest.php b/tests/Functional/Frontend/Form/RegisterFormCest.php
@@ -85,7 +85,7 @@ public function testUserRegistrationFormConfirmByAdminWithFinalConfirmationMail(
         $this->register($I);
 
         $user = $I->grabOneUserAfterRegistration();
-        $I->publishAndConfirmAFrontendUser($user);
+        $I->publishAFrontendUser($user);
 
         $email = Email::getByPath('/email/register-confirmed');
         $I->canSeeEmailIsSent($email);
diff --git a/tests/Functional/Frontend/Form/ResettingFormCest.php b/tests/Functional/Frontend/Form/ResettingFormCest.php
@@ -37,6 +37,18 @@ public function testResettingWithAdminConfirm(FunctionalTester $I): void
         $this->triggerResetForm($I, $user->getEmail());
     }
 
+    public function testResettingWithLockedUser(FunctionalTester $I): void
+    {
+        $user = $I->haveARegisteredFrontEndUser(false);
+
+        $I->amOnPage('/en/members/resetting/request');
+
+        $I->fillField('form[class="members_user_resetting_request"] input[type="text"][id="username"]', $user->getEmail());
+        $I->click('Reset password');
+
+        $I->canSeeCurrentRouteIs('members_user_resetting_request');
+    }
+
     private function triggerResetForm(FunctionalTester $I, $field): void
     {
         $I->amOnPage('/en/members/resetting/request');
diff --git a/tests/Support/Helper/Members.php b/tests/Support/Helper/Members.php
@@ -78,6 +78,7 @@ public function haveARegisteredFrontEndUser(bool $confirmed = false, array $grou
         $userObject->setUserName(MembersHelper::DEFAULT_FEU_USERNAME);
         $userObject->setPlainPassword(MembersHelper::DEFAULT_FEU_PASSWORD);
         $userObject->setPublished(false);
+        $userObject->setConfirmationToken(MembersHelper::DEFAULT_CONFIRMATION_TOKEN);
 
         if (count($additionalParameter) > 0) {
             foreach ($additionalParameter as $additionalParam => $additionalParamValue) {
@@ -101,10 +102,39 @@ public function haveARegisteredFrontEndUser(bool $confirmed = false, array $grou
         return $user;
     }
 
+    public function haveAConfirmedUnpublishedFrontEndUser(array $groups = [], array $additionalParameter = []): UserInterface
+    {
+        $user = $this->haveARegisteredFrontEndUser(true, $groups, $additionalParameter);
+
+        $user->setPublished(false);
+
+        $userManager = $this->getContainer()->get(UserManager::class);
+        $userManager->updateUser($user);
+
+        $this->assertInstanceOf(UserInterface::class, $user);
+
+        return $user;
+    }
+
     /**
      * Actor Function to publish and confirm (triggered by updateUser()) a frontend user.
      */
     public function publishAndConfirmAFrontendUser(UserInterface $user): void
+    {
+        $user->setPublished(true);
+        $user->setConfirmationToken(null);
+
+        $userManager = $this->getContainer()->get(UserManager::class);
+        $userManager->updateUser($user);
+
+        $this->assertTrue($user->getPublished());
+        $this->assertNull($user->getConfirmationToken());
+    }
+
+    /**
+     * Actor Function to publish (triggered by updateUser()) a frontend user.
+     */
+    public function publishAFrontendUser(UserInterface $user): void
     {
         $user->setPublished(true);
 
diff --git a/tests/Support/Util/MembersHelper.php b/tests/Support/Util/MembersHelper.php
@@ -11,6 +11,7 @@ class MembersHelper
     public const DEFAULT_FEU_EMAIL = 'test@universe.org';
     public const DEFAULT_FEU_PASSWORD = 'default-password';
     public const DEFAULT_FEG_NAME = 'Default Group';
+    public const DEFAULT_CONFIRMATION_TOKEN = 'default-confirmation-token';
 
     public static function assertMailSender(): void
     {

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ class MembersHelper`
`11`	`11`	`public const DEFAULT_FEU_EMAIL = 'test@universe.org';`
`12`	`12`	`public const DEFAULT_FEU_PASSWORD = 'default-password';`
`13`	`13`	`public const DEFAULT_FEG_NAME = 'Default Group';`
	`14`	`+ public const DEFAULT_CONFIRMATION_TOKEN = 'default-confirmation-token';`
`14`	`15`
`15`	`16`	`public static function assertMailSender(): void`
`16`	`17`	`{`