fix: prevent password reset on disabled account

10 months ago · b9fb17d4d4
1 changed files with 7 additions and 0 deletions
--- a/server/models/users.js
+++ b/server/models/users.js
@ -499,6 +499,10 @@ module.exports = class User extends Model {
    })

    if (usr) {
+      if (!usr.isActive) {
+        throw new WIKI.Error.AuthAccountBanned()
+      }
+      
      await WIKI.models.users.query().patch({
        password: newPassword,
        mustChangePwd: false
@ -527,6 +531,9 @@ module.exports = class User extends Model {
    if (!usr) {
      WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
      return
+    } else if (!usr.isActive) {
+      WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`)
+      return
    }
    const resetToken = await WIKI.models.userKeys.generateToken({
      userId: usr.id,