fix: prevent password reset on disabled account

pull/7342/head
Nicolas Giard 3 months ago committed by GitHub
parent d1b4c8c407
commit b9fb17d4d4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -499,6 +499,10 @@ module.exports = class User extends Model {
}) })
if (usr) { if (usr) {
if (!usr.isActive) {
throw new WIKI.Error.AuthAccountBanned()
}
await WIKI.models.users.query().patch({ await WIKI.models.users.query().patch({
password: newPassword, password: newPassword,
mustChangePwd: false mustChangePwd: false
@ -527,6 +531,9 @@ module.exports = class User extends Model {
if (!usr) { if (!usr) {
WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`) WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
return return
} else if (!usr.isActive) {
WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`)
return
} }
const resetToken = await WIKI.models.userKeys.generateToken({ const resetToken = await WIKI.models.userKeys.generateToken({
userId: usr.id, userId: usr.id,

Loading…
Cancel
Save