Possible bug in CMSModules_Membership_Controls_ResetPassword

Daniel Main asked on October 28, 2019 21:03

I think I may have found a bug in CMSModules_Membership_Controls_ResetPassword, particularly in the OnLoad method.

Everything seemes to go well till I hit these lines:

 if (!RequestHelper.IsPostBack())
        if (policyReq > 0)
            ShowInformation(GetString("passwordpolicy.policynotmet") + "<br />" + passStrength.GetPasswordPolicyHint());

        UserInfo ui;

        // Get user info
        int userId = GetResetRequestID();
        if (userId > 0)
            // Invalidation forces user info to load user settings from DB and not use cached values.
            ui = UserInfoProvider.GetUserInfo(userId);
            ui = UserInfoProvider.GetUsersDataWithSettings()
                .WhereEquals("UserPasswordRequestHash", hash).TopN(1).FirstOrDefault();

        // There is nobody to reset password for
        if (ui == null)

        // Validate request
        ResetPasswordResultEnum result = AuthenticationHelper.ValidateResetPassword(ui, hash, time, interval, "Reset password control");

        // Prepare messages
        string resultMessage = string.Empty;

        // Check result
        switch (result)
            case ResetPasswordResultEnum.Success:
                // Save user to session

                // Delete it from user info
                ui.UserPasswordRequestHash = null;


            case ResetPasswordResultEnum.TimeExceeded:
                resultMessage = DataHelper.GetNotEmpty(ExceededIntervalText, String.Format(ResHelper.GetString("membership.passwreqinterval"), URLHelper.AddParameterToUrl(securedAreasLogonUrl, "forgottenpassword", "1")));

                resultMessage = invalidRequestMessage;

once it sucessfully grabs the userinfo, it then removes the hash. Ok, all well and good, but then when the user attempts to reset their password there is no hash for the function:

  string resultText = AuthenticationHelper.ResetPassword(hash, time, userId, interval, passStrength.Text, "Reset password control", emailFrom, siteName, null, out success, InvalidRequestText, ExceededIntervalText);

to interact with, thus it returns an invalid result.

I attempted to return the hash to the database record before pressing the button and it processed the request successfully.

So is this a bug, or am I doing something wrong?

   Please, sign in to be able to submit a new answer.