fix(duser_db): Guard against NULL values

When a user is deleted, their details are set to NULL. When no username
is specific for a password reset, this can trigger an email being sent
to an empty recipient which will not be deliverable.

Just to be safe, guard against NULL values for all the user related
functions.

Signed-off-by: Florian Pritz <bluewind@xinu.at>

2 files changed, 13 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 89a76b342..b70320d2b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 This file lists major, incompatible or otherwise important changes, you should look at it after every update.
 
 NEXT
+ - Fix password reset trying to send mails to deleted users
 
 4.0.1 2024-01-14
  - Fix PHP 8.2 deprecation warnings
diff --git a/application/libraries/Duser/drivers/Duser_db.php b/application/libraries/Duser/drivers/Duser_db.php
index 062da9e54..e1df20f1f 100644
--- a/application/libraries/Duser/drivers/Duser_db.php
+++ b/application/libraries/Duser/drivers/Duser_db.php
@@ -24,6 +24,10 @@ class Duser_db extends Duser_Driver {
 	{
 		$CI =& get_instance();
 
+		if ($username === null) {
+			return false;
+		}
+
 		$query = $CI->db->select('username, id, password')
 			->from('users')
 			->where('username', $username)
@@ -48,6 +52,10 @@ class Duser_db extends Duser_Driver {
 	{
 		$CI =& get_instance();
 
+		if ($username === null) {
+			return false;
+		}
+
 		$query = $CI->db->select('id')
 			->from('users')
 			->where('username', $username)
@@ -64,6 +72,10 @@ class Duser_db extends Duser_Driver {
 	{
 		$CI =& get_instance();
 
+		if ($userid === null) {
+			throw new \exceptions\ApiException("libraries/duser/db/get_email-failed", "User does not exist");
+		}
+
 		$query = $CI->db->select('email')
 			->from('users')
 			->where('id', $userid)