Parameter validation for ChangeExpiredPassword action. (#8626)

* Parameter validation for ChangeExpiredPassword action. Centralized check for password expiration. * Added ForcePasswordChange flag check to redirect to the correct page when that flag is true. Co-authored-by: Andrea Piovanelli <andrea.piovanelli@laser-group.com>
2026-01-22 21:02:08 +08:00 · 2022-10-07 10:09:36 +02:00
parent ab7ebd65c9
commit e0f987951e
1 changed files with 13 additions and 8 deletions
--- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
@@ -329,15 +329,20 @@ namespace Orchard.Users.Controllers {
        [AlwaysAccessible]
        public ActionResult ChangeExpiredPassword(string username) {
-            var membershipSettings = _membershipService.GetSettings();
+            if (string.IsNullOrWhiteSpace(username)) {
-            var userPart = _membershipService.GetUser(username).As<UserPart>();
+                return RedirectToAction("LogOn");
            var lastPasswordChangeUtc = userPart.LastPasswordChangeUtc;
            // If there is no last password change date, use user creation date.
            if (lastPasswordChangeUtc == null) {
                lastPasswordChangeUtc = userPart.CreatedUtc;
            }
-            if (lastPasswordChangeUtc != null && lastPasswordChangeUtc.Value.AddDays(membershipSettings.PasswordExpirationTimeInDays) > _clock.UtcNow &&
+            var userPart = _membershipService.GetUser(username)?.As<UserPart>();
-                    !userPart.ForcePasswordChange) {
+            if (userPart == null) {
                // user not valid / doesn't exist
                return RedirectToAction("LogOn");
            }
            var membershipSettings = _membershipService.GetSettings();
            // if the password hasn't actually expired for the user, redirect to logon
            var passwordIsActuallyExpired = membershipSettings.EnableCustomPasswordPolicy
                && membershipSettings.EnablePasswordExpiration
                && _membershipService.PasswordIsExpired(userPart, membershipSettings.PasswordExpirationTimeInDays);
            if (!passwordIsActuallyExpired && !userPart.ForcePasswordChange) {
                return RedirectToAction("LogOn");
            }