Password Reset not Working with Multiple Organisations

[davidrei]

Prerequisite:

• Admidio is configured with multiple organisations
• user accounts exist exclusively in one of the organisations

Issue:

• user with an organisation other than id=1 wants to reset his password
• triggers reset using lost password page /adm_program/system/lost_password.php
• no mail is sent to the user

Analysis:

• /adm_program/system/lost_password.phpcarries no information about the organisation nor does it allow the user to select an organisation
• debugging reveals that apparently the organisation id is set hard to 1 on querying the database for a matching user record

[2018-09-24 15:55:12.639039] Admidio.INFO: SQL: SELECT usr_id FROM adm_members INNER JOIN adm_roles ON rol_id = mem_rol_id INNER JOIN adm_categories ON cat_id = rol_cat_id INNER JOIN adm_users ON usr_id = mem_usr_id INNER JOIN adm_user_data AS email ON email.usd_usr_id = usr_id AND email.usd_usf_id = ? AND email.usd_value = ? WHERE LENGTH(usr_login_name) > 0 AND rol_valid = 1 AND usr_valid = 1 AND mem_begin <= ? AND mem_end > ? AND ( cat_org_id = ? OR cat_org_id IS NULL ) GROUP BY usr_id [12,"test@email.com","2018-09-24","2018-09-24",1] {"file":"/…/adm_program/system/classes/Database.php","line":723,"class":"Database","function":"queryPrepared"}

Possible Solution

1. Remove the criteria which limits the search to only the default cat_org_id
2. In case more than one record is found, invalidate the form and ask the user for an organisation (drop down menu)
3. once only one record is found, proceed with the process as is and send out the mail

[Fasse]

thanks for the detailed description of the bug.

The solution will be not the check for the organization. We will only check for a valid role membership and thats all. The role membership could be from organization A or B or C that doesn't matter.