fix: prevent password reset on disabled account

NGPixel · web-flow · commit b9fb17d4d4a0 · 2024-08-29T03:06:06.000-04:00
diff --git a/server/models/users.js b/server/models/users.js
@@ -499,6 +499,10 @@ module.exports = class User extends Model {
     })
 
     if (usr) {
+      if (!usr.isActive) {
+        throw new WIKI.Error.AuthAccountBanned()
+      }
+      
       await WIKI.models.users.query().patch({
         password: newPassword,
         mustChangePwd: false
@@ -527,6 +531,9 @@ module.exports = class User extends Model {
     if (!usr) {
       WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
       return
+    } else if (!usr.isActive) {
+      WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`)
+      return
     }
     const resetToken = await WIKI.models.userKeys.generateToken({
       userId: usr.id,
