[Bug]: Superusers can't request a password reset link

[DanielBolef]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

Superusers can't request a password reset link from the forgot password page when "use email as username" is enabled.

Steps to reproduce?

1. Have a superuser account
2. Enable "Use Email Address as Username" in registration settings
3. Go to a login module, click "Reset Password"
4. Enter the superuser account email
5. Submit

Current Behavior

No password reset email is sent.

Expected Behavior

Password reset email is sent.

Relevant log output

Admin log: "Password Sent Failure" "Cause:If the details entered for <email> were correct, you should receive an email message shortly with a link to reset your password."

Anything else?

This appears to happen because of the way users are looked up.

1. Dnn.Platform/DNN Platform/Website/admin/Security/SendPassword.ascx.cs

   Line 325 in 4b0214b

   private void GetUser()

   Calls the UserController. "ShowEmailField" comes from the "Use Email Address as Username" setting (among other things, who's cases are probably also broken). When true, it calls UserController.GetUsersByEmail with the current portal ID.

2. Dnn.Platform/DNN Platform/Library/Data/DataProvider.cs

   Line 2145 in 236dbe3

   public virtual IDataReader GetUsersByEmail(int portalID, string email, int pageIndex, int pageSize, bool includeDeleted, bool superUsersOnly)

   UserController calls into the membership provider, which eventually ends up here. The "GetUsersByEmail" stored procedure selects from "vw_Users". "vw_Users" replaces UserId with 0 when JOINing [Users] with [UserPortals], which causes it to never return a user if it is a super user.
3. Since the user cannot be looked up, password reset treats it as if an invalid email/username was entered, and just does nothing.

The solution probably needs to change how users are looked up. I imagine "vw_Users" prevents looking up super users for security reasons, so probably don't want to change that. Instead using a method that doesn't utilize that view is probably what needs to happen.

Affected Versions

10.3.2 (latest release)

What browsers are you seeing the problem on?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[sleupold]

since superusers have excessive permissions, they don't have the option to request a password reset (to prevent man in the middle attacks). In case of a forgotton superuser password, you may create a new user and set the "isSuperuser" flag manually in the users table of the database. restart the application for the change to become effective.

[DanielBolef]

Alternatively, maybe a change in messaging instead? Currently the error message in the admin logs is very unhelpful, maybe log something like "Superusers cannot request password reset"? Could even go as far as emailing that notification instead of the password reset link (or nothing, as it is now).