chore: enforce actor

src/Forum/Controller/ResetPasswordController.php

@@ -11,7 +11,9 @@
 
 use DateTime;
 use Flarum\Http\Controller\AbstractHtmlController;
+use Flarum\Http\RequestUtil;
 use Flarum\User\Exception\InvalidConfirmationTokenException;
+use Flarum\User\Exception\NotAuthenticatedException;
 use Flarum\User\PasswordToken;
 use Illuminate\Contracts\View\Factory;
 use Illuminate\Support\Arr;
@@ -44,8 +46,16 @@ public function render(Request $request)
     {
         $token = Arr::get($request->getQueryParams(), 'token');
 
+        /** @var PasswordToken $token */
         $token = PasswordToken::findOrFail($token);
 
+        $actor = RequestUtil::getActor($request);
+        $actor->assertRegistered();
+
+        if ($actor->id !== $token->user_id) {
+            throw new NotAuthenticatedException;
+        }
+
         if ($token->created_at < new DateTime('-1 day')) {
             throw new InvalidConfirmationTokenException;
         }

src/Forum/Controller/SavePasswordController.php

@@ -97,6 +97,12 @@ public function handle(Request $request): ResponseInterface
             return $this->displayWithErrors($request, $token, $e->errors());
         }
 
+        if ($token->user->checkPassword($password)) {
+            return $this->displayWithErrors($request, $token, [
+                'password' => $this->translator->trans('sycho-force-password-reset.forum.new_password_must_be_different')
+            ]);
+        }
+
         $token->user->changePassword($password);
         $token->user->save();