#4933 fix: check email validity before attempting to save email or check if password request is allowed #4934
Conversation
|
I tested with a bogus email with valid format; the system saves on every submission beyond the allowed times. Shouldn't we avoid saving beyond the allowed times for this type of emails as well, besides invalid formatted emails? |
It is true that inserts are done first and then checked afterwards. But I didn't want to touch that logic part. |
…il or check if password request is allowed
pquerner
force-pushed
the
fix/4933-forgottenPasswordEmailValidityCheck
branch
from
7a12936 to
b196220
Compare
|
PHPStan fails, but not because of my changes. No idea what to do in that case. :D Anyone? |
I added an extra MR #4937 |
|
If the intent of this PR is to lower write amplification: fewer DB writes under spam/abuse, then we need to consider that correctly formatted emails would still get written to the DB until it exceeded 24 hours or per IP limits. |
|
Yes, but please lets do 1 issue 1 pull request. I didnt want to get this all too bloated. |
|
I tasked the AI for a solution, it came up with this: public function forgotPasswordPostAction()
{
$email = (string) $this->getRequest()->getPost('email');
if ($email) {
$flowPassword = Mage::getModel('customer/flowpassword');
$flowPassword->setEmail($email); // kiat: no save
if (!$flowPassword->checkCustomerForgotPasswordFlowEmail($email)) {
// ...
}
if (!$flowPassword->checkCustomerForgotPasswordFlowIp()) {
// ...
}
if (!Zend_Validate::is($email, 'EmailAddress')) {
// ...
}
// ...
try {
$flowPassword->save(); // kiat: insert save after try before if
if ($customerId) {
/** @var Helper $helper */ // kiat: should remove
// ...
}
} catch (Exception $exception) {
// ...
}
//....I tested it and it works! You can still move the email validation up if desired. The log only saved up to the limit set in the system config. |
|
As I said, this wasnt the intend of this pull request and I feel like it should be done in its own PR. |
Modify the customer forgot‑password flow to not save emails beyond the configured limits + 1.
|
PHPStan errors. |
There was a problem hiding this comment.
Pull Request Overview
This PR improves the password reset flow by validating email addresses before performing any database operations or flow checks. The change prevents invalid email addresses from being processed or stored during password reset attempts.
Key changes:
- Email validation moved to the beginning of the process
- Database operations only occur after email validation passes
- Improved error handling flow for invalid emails
|
5 participants
Description (*)
This pull request moved the email address validity check to the top, which means that invalid email addresses are no longer saved nor checked in the database, before making sure it is even a valid email address.
Fixed Issues (if relevant)
Manual testing scenarios (*)
Questions or comments
Contribution checklist (*)