fix: prevent password reset on disabled account

b9fb17d4 · Nicolas Giard · GitHub · d1b4c8c4 · b9fb17d4
Unverified Commit b9fb17d4 authored Aug 29, 2024 by Nicolas Giard Committed by GitHub Aug 29, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

users.js server/models/users.js +7 -0

No files found.
--- a/server/models/users.js
+++ b/server/models/users.js
@@ -499,6 +499,10 @@ module.exports = class User extends Model {
    })

    if (usr) {
+      if (!usr.isActive) {
+        throw new WIKI.Error.AuthAccountBanned()
+      }
+      
      await WIKI.models.users.query().patch({
        password: newPassword,
        mustChangePwd: false
@@ -527,6 +531,9 @@ module.exports = class User extends Model {
    if (!usr) {
      WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
      return
+    } else if (!usr.isActive) {
+      WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`)
+      return
    }
    const resetToken = await WIKI.models.userKeys.generateToken({
      userId: usr.id,