mod_invites_register: Stricter validation of registration events

This fixes two problems:

  1) Account invites that were created with a specific username were not
     in fact restricted to that username.

  2) Password reset invites were not restricted to resetting passwords,
     but could be used to create an arbitrary new account if the client
     or registration frontend (e.g. mod_invites_register_web) doesn't
     handle/enforce the username.

This new validation ensures that registrations and resets are always for the
username specified in the invitation.

1 files changed, 14 insertions, 2 deletions

diff --git a/plugins/mod_invites_register.lua b/plugins/mod_invites_register.lua
index d9274ce4..76b644c7 100644
--- a/plugins/mod_invites_register.lua
+++ b/plugins/mod_invites_register.lua
@@ -101,8 +101,20 @@ module:hook("user-registering", function (event)
 		-- for this module to do...
 		return;
 	end
-	if validated_invite and validated_invite.additional_data and validated_invite.additional_data.allow_reset then
-		event.allow_reset = validated_invite.additional_data.allow_reset;
+	if validated_invite then
+		local username = validated_invite.username;
+		if username and username ~= event.username then
+			event.allowed = false;
+			event.reason = "The chosen username is not valid with this invitation";
+		end
+		local reset_username = validated_invite.additional_data and validated_invite.additional_data.allow_reset;
+		if reset_username then
+			if reset_username ~= event.username then
+				event.allowed = false;
+				event.reason = "Incorrect username for password reset";
+			end
+			event.allow_reset = reset_username;
+		end
 	end
 end);