Fix leak of unclaimed user ID in UsersEmailApiHandler

remp/hiking#10
remp2020 · Feb 6, 2022 · a14b7f8 · a14b7f8
1 parent de42a94
commit a14b7f8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/Api/UsersEmailHandler.php b/src/Api/UsersEmailHandler.php
@@ -79,6 +79,7 @@ public function handle(ApiAuthorizationInterface $authorization)
                 $status = 'taken';
                 $passwordStatus = ($params['password']) ? false : null;
             } elseif ($authException->getCode() ===  UserAuthenticator::NOT_APPROVED) {
+                $user = null;
                 $status = 'available';
             } else {
                 $status = 'taken';

diff --git a/src/Tests/UsersEmailHandlerTest.php b/src/Tests/UsersEmailHandlerTest.php
@@ -208,8 +208,8 @@ public function testUnclaimedUser()
 
         $this->assertEquals('available', $payload['status']);
         $this->assertEquals($email, $payload['email']);
-        $this->assertEquals($user->id, $payload['id']);
-        $this->assertEquals(null, $payload['password']);
+        $this->assertNull($payload['id']);
+        $this->assertNull($payload['password']);
         $this->assertEquals(LoginAttemptsRepository::STATUS_UNCLAIMED_USER, $lastAttempt->status);
     }