Special:PasswordReset will take either the username or the email
into account but never both. Reflect this in the way parameters
are passed to the hook.
This also makes sure hook handlers never receive an unsanitized
email address.
Change-Id: I8d3b3d81e0cd5f92e5cd0a866a16695638610592
if ( $resetRoutes['username'] && $username ) {
$method = 'username';
$users = [ User::newFromName( $username ) ];
if ( $resetRoutes['username'] && $username ) {
$method = 'username';
$users = [ User::newFromName( $username ) ];
} elseif ( $resetRoutes['email'] && $email ) {
if ( !Sanitizer::validateEmail( $email ) ) {
return StatusValue::newFatal( 'passwordreset-invalidemail' );
}
$method = 'email';
$users = $this->getUsersByEmail( $email );
} elseif ( $resetRoutes['email'] && $email ) {
if ( !Sanitizer::validateEmail( $email ) ) {
return StatusValue::newFatal( 'passwordreset-invalidemail' );
}
$method = 'email';
$users = $this->getUsersByEmail( $email );
} else {
// The user didn't supply any data
return StatusValue::newFatal( 'passwordreset-nodata' );
} else {
// The user didn't supply any data
return StatusValue::newFatal( 'passwordreset-nodata' );