Skip to content

Prevent email enumeration on public registration #17085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: 4.x
Choose a base branch
from
Open

Prevent email enumeration on public registration #17085

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8fafe2c
Prevent email enumeration on public registration
timkelty Apr 14, 2025
ffb83f0
Check for preventUserEnumeration
timkelty Apr 15, 2025
e6002f3
Changelog
timkelty Apr 16, 2025
594e58a
Merge branch '4.x' into bugfix/email-enumeration
brandonkelly Apr 25, 2025
8974309
Merge branch '4.x' into bugfix/email-enumeration
brandonkelly May 6, 2025
6b7e849
Merge branch '4.16' into bugfix/email-enumeration
brandonkelly May 6, 2025
058b358
Merge branch '4.16' into bugfix/email-enumeration
brandonkelly May 6, 2025
21fd6c5
Move the release note to the WIP changelog
brandonkelly May 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG-WIP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,6 @@

### Extensibility
- Added `craft\fields\BaseRelationField::canShowSiteMenu()`.

### System
- Prevented potential email enumeration on public registration forms. ([#17085](https://github.com/craftcms/cms/pull/17085))
190 changes: 104 additions & 86 deletions src/controllers/UsersController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1483,6 +1483,7 @@ public function actionSaveUser(): ?Response

// Manually validate the user so we can pass $clearErrors=false
$success = $user->validate(null, false) && Craft::$app->getElements()->saveElement($user, false);
$existingEmailUser = null;

if (!$success) {
Craft::info('User not saved due to validation error.', __METHOD__);
Expand All @@ -1493,111 +1494,128 @@ public function actionSaveUser(): ?Response
$user->clearErrors('newPassword');
}

// Copy any 'unverifiedEmail' errors to 'email'
if (!$user->hasErrors('email')) {
if ($user->hasErrors('email')) {
if (Craft::$app->getConfig()->getGeneral()->preventUserEnumeration && $isPublicRegistration && $user->email) {
$existingEmailUser = User::find()
->email(Db::escapeParam($user->email))
->status(null)
->one();

if ($existingEmailUser) {
$user->clearErrors('email');
}
}
} else {
// Copy any 'unverifiedEmail' errors to 'email'
$user->addErrors(['email' => $user->getErrors('unverifiedEmail')]);
$user->clearErrors('unverifiedEmail');
}

return $this->asModelFailure(
$user,
StringHelper::upperCaseFirst(Craft::t('app', 'Couldn’t save {type}.', [
'type' => User::lowerDisplayName(),
])),
$userVariable
);
}

// If this is a new user and email verification isn't required,
// go ahead and activate them now.
if ($isNewUser && !$requireEmailVerification && !$deactivateByDefault) {
Craft::$app->getUsers()->activateUser($user);
if ($user->hasErrors()) {
return $this->asModelFailure(
$user,
StringHelper::upperCaseFirst(Craft::t('app', 'Couldn’t save {type}.', [
'type' => User::lowerDisplayName(),
])),
$userVariable
);
}
}

if ($isCurrentUser) {
// Save their preferences too
$preferredLocale = $this->request->getBodyParam('preferredLocale', $user->getPreference('locale')) ?: null;
if ($preferredLocale === '__blank__') {
$preferredLocale = null;
if ($existingEmailUser) {
Craft::$app->getUsers()->sendNewEmailVerifyEmail($existingEmailUser);
} else {
// If this is a new user and email verification isn't required,
// go ahead and activate them now.
if ($isNewUser && !$requireEmailVerification && !$deactivateByDefault) {
Craft::$app->getUsers()->activateUser($user);
}
$preferences = [
'language' => $this->request->getBodyParam('preferredLanguage', $user->getPreference('language')),
'locale' => $preferredLocale,
'weekStartDay' => $this->request->getBodyParam('weekStartDay', $user->getPreference('weekStartDay')),
'alwaysShowFocusRings' => (bool)$this->request->getBodyParam('alwaysShowFocusRings', $user->getPreference('alwaysShowFocusRings')),
'useShapes' => (bool)$this->request->getBodyParam('useShapes', $user->getPreference('useShapes')),
'underlineLinks' => (bool)$this->request->getBodyParam('underlineLinks', $user->getPreference('underlineLinks')),
'notificationDuration' => $this->request->getBodyParam('notificationDuration', $user->getPreference('notificationDuration')),
];

if ($user->admin) {
$preferences = array_merge($preferences, [
'showFieldHandles' => (bool)$this->request->getBodyParam('showFieldHandles', $user->getPreference('showFieldHandles')),
'enableDebugToolbarForSite' => (bool)$this->request->getBodyParam('enableDebugToolbarForSite', $user->getPreference('enableDebugToolbarForSite')),
'enableDebugToolbarForCp' => (bool)$this->request->getBodyParam('enableDebugToolbarForCp', $user->getPreference('enableDebugToolbarForCp')),
'showExceptionView' => (bool)$this->request->getBodyParam('showExceptionView', $user->getPreference('showExceptionView')),
'profileTemplates' => (bool)$this->request->getBodyParam('profileTemplates', $user->getPreference('profileTemplates')),
]);
}
if ($isCurrentUser) {
// Save their preferences too
$preferredLocale = $this->request->getBodyParam('preferredLocale', $user->getPreference('locale')) ?: null;
if ($preferredLocale === '__blank__') {
$preferredLocale = null;
}
$preferences = [
'language' => $this->request->getBodyParam('preferredLanguage', $user->getPreference('language')),
'locale' => $preferredLocale,
'weekStartDay' => $this->request->getBodyParam('weekStartDay', $user->getPreference('weekStartDay')),
'alwaysShowFocusRings' => (bool)$this->request->getBodyParam('alwaysShowFocusRings', $user->getPreference('alwaysShowFocusRings')),
'useShapes' => (bool)$this->request->getBodyParam('useShapes', $user->getPreference('useShapes')),
'underlineLinks' => (bool)$this->request->getBodyParam('underlineLinks', $user->getPreference('underlineLinks')),
'notificationDuration' => $this->request->getBodyParam('notificationDuration', $user->getPreference('notificationDuration')),
];

Craft::$app->getUsers()->saveUserPreferences($user, $preferences);
Craft::$app->updateTargetLanguage();
}
if ($user->admin) {
$preferences = array_merge($preferences, [
'showFieldHandles' => (bool)$this->request->getBodyParam('showFieldHandles', $user->getPreference('showFieldHandles')),
'enableDebugToolbarForSite' => (bool)$this->request->getBodyParam('enableDebugToolbarForSite', $user->getPreference('enableDebugToolbarForSite')),
'enableDebugToolbarForCp' => (bool)$this->request->getBodyParam('enableDebugToolbarForCp', $user->getPreference('enableDebugToolbarForCp')),
'showExceptionView' => (bool)$this->request->getBodyParam('showExceptionView', $user->getPreference('showExceptionView')),
'profileTemplates' => (bool)$this->request->getBodyParam('profileTemplates', $user->getPreference('profileTemplates')),
]);
}

// Is this the current user, and did their username just change?
// todo: remove comment when WI-51866 is fixed
/** @noinspection PhpUndefinedVariableInspection */
if ($isCurrentUser && $user->username !== $oldUsername) {
// Update the username cookie
$userSession->sendUsernameCookie($user);
}
Craft::$app->getUsers()->saveUserPreferences($user, $preferences);
Craft::$app->updateTargetLanguage();
}

// Save the user’s photo, if it was submitted
$this->_processUserPhoto($user);
// Is this the current user, and did their username just change?
// todo: remove comment when WI-51866 is fixed
/** @noinspection PhpUndefinedVariableInspection */
if ($isCurrentUser && $user->username !== $oldUsername) {
// Update the username cookie
$userSession->sendUsernameCookie($user);
}

if (Craft::$app->getEdition() === Craft::Pro) {
// If this is public registration, assign the user to the default user group
if ($isPublicRegistration) {
// Assign them to the default user group
Craft::$app->getUsers()->assignUserToDefaultGroup($user);
} elseif ($currentUser) {
// Fire an 'afterBeforeGroupsAndPermissions' event
if ($this->hasEventHandlers(self::EVENT_BEFORE_ASSIGN_GROUPS_AND_PERMISSIONS)) {
$this->trigger(self::EVENT_BEFORE_ASSIGN_GROUPS_AND_PERMISSIONS, new UserEvent([
'user' => $user,
]));
}
// Save the user’s photo, if it was submitted
$this->_processUserPhoto($user);

if (Craft::$app->getEdition() === Craft::Pro) {
// If this is public registration, assign the user to the default user group
if ($isPublicRegistration) {
// Assign them to the default user group
Craft::$app->getUsers()->assignUserToDefaultGroup($user);
} elseif ($currentUser) {
// Fire an 'afterBeforeGroupsAndPermissions' event
if ($this->hasEventHandlers(self::EVENT_BEFORE_ASSIGN_GROUPS_AND_PERMISSIONS)) {
$this->trigger(self::EVENT_BEFORE_ASSIGN_GROUPS_AND_PERMISSIONS, new UserEvent([
'user' => $user,
]));
}

// Assign user groups and permissions if the current user is allowed to do that
$this->_saveUserGroups($user, $currentUser);
$this->_saveUserPermissions($user, $currentUser);
// Assign user groups and permissions if the current user is allowed to do that
$this->_saveUserGroups($user, $currentUser);
$this->_saveUserPermissions($user, $currentUser);

// Fire an 'afterAssignGroupsAndPermissions' event
if ($this->hasEventHandlers(self::EVENT_AFTER_ASSIGN_GROUPS_AND_PERMISSIONS)) {
$this->trigger(self::EVENT_AFTER_ASSIGN_GROUPS_AND_PERMISSIONS, new UserEvent([
'user' => $user,
]));
// Fire an 'afterAssignGroupsAndPermissions' event
if ($this->hasEventHandlers(self::EVENT_AFTER_ASSIGN_GROUPS_AND_PERMISSIONS)) {
$this->trigger(self::EVENT_AFTER_ASSIGN_GROUPS_AND_PERMISSIONS, new UserEvent([
'user' => $user,
]));
}
}
}
}

// Do we need to send a verification email out?
if ($sendActivationEmail) {
// Temporarily set the unverified email on the User so the verification email goes to the
// right place
$originalEmail = $user->email;
$user->email = $user->unverifiedEmail;
// Do we need to send a verification email out?
if ($sendActivationEmail) {
// Temporarily set the unverified email on the User so the verification email goes to the
// right place
$originalEmail = $user->email;
$user->email = $user->unverifiedEmail;

if ($isNewUser) {
// Send the activation email
Craft::$app->getUsers()->sendActivationEmail($user);
} else {
// Send the standard verification email
Craft::$app->getUsers()->sendNewEmailVerifyEmail($user);
}
if ($isNewUser) {
// Send the activation email
Craft::$app->getUsers()->sendActivationEmail($user);
} else {
// Send the standard verification email
Craft::$app->getUsers()->sendNewEmailVerifyEmail($user);
}

// Put the original email back into place
$user->email = $originalEmail;
// Put the original email back into place
$user->email = $originalEmail;
}
}

// Is this public registration, and was the user going to be activated automatically?
Expand Down