Merge pull request #7627 from umbraco/v8/bugfix/AB4828-resetpassword-mail

Warren Buckley · Warren Buckley · commit 6a6978d8da08 · 2020-02-12T11:56:10.000Z
AB4828 - Reset Password Email (cherry picked from commit f00680b)
diff --git a/src/Umbraco.Core/Persistence/Repositories/Implement/UserRepository.cs b/src/Umbraco.Core/Persistence/Repositories/Implement/UserRepository.cs
@@ -557,6 +557,16 @@ protected override void PersistUpdatedItem(IUser entity)
                 }
             }
 
+            // If userlogin or the email has changed then need to reset security stamp
+            if (changedCols.Contains("userLogin") || changedCols.Contains("userEmail"))
+            {
+                userDto.EmailConfirmedDate = null;
+                userDto.SecurityStampToken = entity.SecurityStamp = Guid.NewGuid().ToString();
+                
+                changedCols.Add("emailConfirmedDate");
+                changedCols.Add("securityStampToken");  
+            }
+
             //only update the changed cols
             if (changedCols.Count > 0)
             {
diff --git a/src/Umbraco.Tests/Persistence/Repositories/UserRepositoryTest.cs b/src/Umbraco.Tests/Persistence/Repositories/UserRepositoryTest.cs
@@ -409,6 +409,35 @@ public void Can_Get_Paged_Results_With_Filter_And_Groups()
             }
         }
 
+        [Test]
+        public void Can_Invalidate_SecurityStamp_On_Username_Change()
+        {
+            // Arrange
+            var provider = TestObjects.GetScopeProvider(Logger);
+            using (var scope = provider.CreateScope())
+            {
+                var repository = CreateRepository(provider);
+                var userGroupRepository = CreateUserGroupRepository(provider);
+
+                var user = CreateAndCommitUserWithGroup(repository, userGroupRepository);
+                var originalSecurityStamp = user.SecurityStamp;
+
+                // Ensure when user generated a security stamp is present
+                Assert.That(user.SecurityStamp, Is.Not.Null);
+                Assert.That(user.SecurityStamp, Is.Not.Empty);
+
+                // Update username
+                user.Username = user.Username + "UPDATED";
+                repository.Save(user);
+
+                // Get the user
+                var updatedUser = repository.Get(user.Id);
+
+                // Ensure the Security Stamp is invalidated & no longer the same
+                Assert.AreNotEqual(originalSecurityStamp, updatedUser.SecurityStamp);
+            }
+        }
+
         private void AssertPropertyValues(IUser updatedItem, IUser originalUser)
         {
             Assert.That(updatedItem.Id, Is.EqualTo(originalUser.Id));

Original file line number	Diff line number	Diff line change
`@@ -557,6 +557,16 @@ protected override void PersistUpdatedItem(IUser entity)`
`557`	`557`	`}`
`558`	`558`	`}`
`559`	`559`
	`560`	`+ // If userlogin or the email has changed then need to reset security stamp`
	`561`	`+ if (changedCols.Contains("userLogin") \|\| changedCols.Contains("userEmail"))`
	`562`	`+ {`
	`563`	`+ userDto.EmailConfirmedDate = null;`
	`564`	`+ userDto.SecurityStampToken = entity.SecurityStamp = Guid.NewGuid().ToString();`
	`565`	`+`
	`566`	`+ changedCols.Add("emailConfirmedDate");`
	`567`	`+ changedCols.Add("securityStampToken");`
	`568`	`+ }`
	`569`	`+`
`560`	`570`	`//only update the changed cols`
`561`	`571`	`if (changedCols.Count > 0)`
`562`	`572`	`{`