Core: Password reset has no validation rules

Nice catch, thank you!

I want to try this. I am familiar with native laravel app structure as well as dingo/api but not with your app setup. So can you help me out where to start with this bug ? or link of some quick introduction to app structure of flarum/core

@poush That's great, thank you!

The routes for the forum frontend can be found in the ForumServiceProvider class. There, you can see that the SavePasswordController is responsible for handling the password reset requests.

That's where you need to add the validation, possibly by using the UserValidator class.

I hope that helps you in getting started. :)

From little digging into core. I saw there RegisterUserHandler where validation is done in registration process and similarly in RequestPasswordResetHandler when generating password but there is no such Handler for saving password.

It goes like savePassword route to SavePasswordController then ends there. So is there need of some Flarum\Core\Command\SavePasswordHandler ? or I should do validation part in SavePasswordController ?

@poush there is this:

https://github.com/flarum/core/blob/master/src/Core/Command/RequestPasswordResetHandler.php

@Luceos but this handles the request for token generation and mailing user the token generated.

My apologies, my bad :) Yes this should be modified in
https://github.com/flarum/core/blob/master/src/Forum/Controller/SavePasswordController.php

I wasn't sure but there has been talk about dropping the handler, because it generated too much confusion. So simply hack it in there and you should be good for a merge already. We can refactor it if needed in a follow up issue.

please check #943

Thanks a lot, @poush !

Thank you @franzliedke and @Luceos for guiding me to make my first contribution on flarum

This was a very impressive first contribution :+1: