From b9fb17d4d4a0956ec35e8c73cc85192552fb8d16 Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Thu, 29 Aug 2024 03:06:06 -0400 Subject: [PATCH] fix: prevent password reset on disabled account --- server/models/users.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/server/models/users.js b/server/models/users.js index 33f6b24fd8..8191621dbb 100644 --- a/server/models/users.js +++ b/server/models/users.js @@ -499,6 +499,10 @@ module.exports = class User extends Model { }) if (usr) { + if (!usr.isActive) { + throw new WIKI.Error.AuthAccountBanned() + } + await WIKI.models.users.query().patch({ password: newPassword, mustChangePwd: false @@ -527,6 +531,9 @@ module.exports = class User extends Model { if (!usr) { WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`) return + } else if (!usr.isActive) { + WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`) + return } const resetToken = await WIKI.models.userKeys.generateToken({ userId: usr.id,