From f394421c0cc7e8879007092e40e540b2fd1118c1 Mon Sep 17 00:00:00 2001
From: Sascha Greuel <sascha@softcreatr.de>
Date: Sun, 11 Jul 2021 10:24:24 +0200
Subject: [PATCH] Don't leak an account's activation status (#4365)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

* Don't leak an account's activation status

* Update wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php

Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>

Co-authored-by: Tim Düsterhus <timwolla@googlemail.com>
---
 .../RegisterNewActivationCodeForm.class.php   | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php b/wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php
index 7f7ac1b792..67ab1f1bcf 100644
--- a/wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php
+++ b/wcfsetup/install/files/lib/form/RegisterNewActivationCodeForm.class.php
@@ -71,6 +71,9 @@ class RegisterNewActivationCodeForm extends AbstractForm {
 		// password
 		$this->validatePassword();
 		
+		// activation state
+		$this->validateActivationState();
+		
 		// email
 		$this->validateEmail();
 	}
@@ -87,10 +90,6 @@ class RegisterNewActivationCodeForm extends AbstractForm {
 		if (!$this->user->userID) {
 			throw new UserInputException('username', 'notFound');
 		}
-		
-		if ($this->user->activationCode == 0) {
-			throw new UserInputException('username', 'alreadyEnabled');
-		}
 	}
 	
 	/**
@@ -106,7 +105,17 @@ class RegisterNewActivationCodeForm extends AbstractForm {
 			throw new UserInputException('password', 'false');
 		}
 	}
-	
+
+	/**
+	 * Validates the activation state.
+	 */
+	public function validateActivationState() {
+		// check if user is already enabled
+		if ($this->user->activationCode == 0) {
+			throw new UserInputException('username', 'alreadyEnabled');
+		}
+	}
+
 	/**
 	 * Validates the email address.
 	 */
-- 
2.20.1