Fix SpecialPasswordResetOnSubmit parameter handling

Special:PasswordReset will take either the username or the email
into account but never both. Reflect this in the way parameters
are passed to the hook.

This also makes sure hook handlers never receive an unsanitized
email address.

Change-Id: I8d3b3d81e0cd5f92e5cd0a866a16695638610592

diff --git a/includes/user/PasswordReset.php b/includes/user/PasswordReset.php
index 889ec92..e023744 100644 (file)
--- a/includes/user/PasswordReset.php
+++ b/includes/user/PasswordReset.php
@@ -134,12 +134,14 @@ class PasswordReset {
                if ( $resetRoutes['username'] && $username ) {
                        $method = 'username';
                        $users = [ User::newFromName( $username ) ];
+                       $email = null;
                } elseif ( $resetRoutes['email'] && $email ) {
                        if ( !Sanitizer::validateEmail( $email ) ) {
                                return StatusValue::newFatal( 'passwordreset-invalidemail' );
                        }
                        $method = 'email';
                        $users = $this->getUsersByEmail( $email );
+                       $username = null;
                } else {
                        // The user didn't supply any data
                        return StatusValue::newFatal( 'passwordreset-nodata' );