Parameter validation for ChangeExpiredPassword action. (#8626)

* Parameter validation for ChangeExpiredPassword action. Centralized check for password expiration. * Added ForcePasswordChange flag check to redirect to the correct page when that flag is true. Co-authored-by: Andrea Piovanelli <andrea.piovanelli@laser-group.com>
2025-07-15 15:21:09 +08:00 · 2022-10-07 10:09:36 +02:00 · 2022-10-07 10:09:36 +02:00 · e0f987951e
commit e0f987951e
parent ab7ebd65c9
1 changed files with 13 additions and 8 deletions
--- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
@ -329,15 +329,20 @@ namespace Orchard.Users.Controllers {

        [AlwaysAccessible]
        public ActionResult ChangeExpiredPassword(string username) {
-            var membershipSettings = _membershipService.GetSettings();
-            var userPart = _membershipService.GetUser(username).As<UserPart>();
-            var lastPasswordChangeUtc = userPart.LastPasswordChangeUtc;
-            // If there is no last password change date, use user creation date.
-            if (lastPasswordChangeUtc == null) {
-                lastPasswordChangeUtc = userPart.CreatedUtc;
+            if (string.IsNullOrWhiteSpace(username)) {
+                return RedirectToAction("LogOn");
            }
-            if (lastPasswordChangeUtc != null && lastPasswordChangeUtc.Value.AddDays(membershipSettings.PasswordExpirationTimeInDays) > _clock.UtcNow &&
-                    !userPart.ForcePasswordChange) {
+            var userPart = _membershipService.GetUser(username)?.As<UserPart>();
+            if (userPart == null) {
+                // user not valid / doesn't exist
+                return RedirectToAction("LogOn");
+            }
+            var membershipSettings = _membershipService.GetSettings();
+            // if the password hasn't actually expired for the user, redirect to logon
+            var passwordIsActuallyExpired = membershipSettings.EnableCustomPasswordPolicy
+                && membershipSettings.EnablePasswordExpiration
+                && _membershipService.PasswordIsExpired(userPart, membershipSettings.PasswordExpirationTimeInDays);
+            if (!passwordIsActuallyExpired && !userPart.ForcePasswordChange) {
                return RedirectToAction("LogOn");
            }