ACP2E-3992: Customer password reset through GraphQL doesn't honour the restrictions

Author: soklymeach

app/code/Magento/Security/Model/Plugin/AccountManagement.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2016 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -80,7 +80,8 @@ public function beforeInitiatePasswordReset(
     ) {
         if ($this->scope->getCurrentScope() == Area::AREA_FRONTEND
             || $this->passwordRequestEvent == PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST
-            || ($this->scope->getCurrentScope() == Area::AREA_WEBAPI_REST
+            || (($this->scope->getCurrentScope() == Area::AREA_WEBAPI_REST
+                    || $this->scope->getCurrentScope() == Area::AREA_GRAPHQL)
             && $this->passwordRequestEvent == PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST)) {
             $this->securityManager->performSecurityCheck(
                 $this->passwordRequestEvent,

app/code/Magento/Security/Test/Unit/Model/Plugin/AccountManagementTest.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2016 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -120,6 +120,7 @@ public static function beforeInitiatePasswordResetDataProvider()
             // This should never happen, but let's cover it with tests
             [Area::AREA_FRONTEND, PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST, 1],
             [Area::AREA_WEBAPI_REST, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
+            [Area::AREA_GRAPHQL, PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST, 1],
         ];
     }
 }