[4.x] Security Hardening: Unset the activation token if the mail address changes (#45221)

SniperSister · web-flow · commit 94bd6a877bd1 · 2025-04-03T14:33:22.000+02:00
* Unset the activation token, if the mail address changes

* strict type compare

---------
diff --git a/libraries/src/User/User.php b/libraries/src/User/User.php
@@ -740,6 +740,11 @@ public function save($updateOnly = false)
                 }
             }
 
+            // Unset the activation token, if the mail address changes - that affects both, activation and PW resets
+            if ($this->email !== $oldUser->email && $this->id !== 0 && !empty($this->activation) && !$this->block) {
+                $table->activation = '';
+            }
+
             // Fire the onUserBeforeSave event.
             PluginHelper::importPlugin('user');
 

Original file line number	Diff line number	Diff line change
`@@ -740,6 +740,11 @@ public function save($updateOnly = false)`
`740`	`740`	`}`
`741`	`741`	`}`
`742`	`742`
	`743`	`+ // Unset the activation token, if the mail address changes - that affects both, activation and PW resets`
	`744`	`+ if ($this->email !== $oldUser->email && $this->id !== 0 && !empty($this->activation) && !$this->block) {`
	`745`	`+ $table->activation = '';`
	`746`	`+ }`
	`747`	`+`
`743`	`748`	`// Fire the onUserBeforeSave event.`
`744`	`749`	`PluginHelper::importPlugin('user');`
`745`	`750`