fix(user): reject disabled/locked users in getUser by default

getUser now returns ErrAccountDisabled or ErrAccountLocked (alongside
the full user object) for users with StatusDisabled or StatusAccountLocked.
Callers that need disabled/locked users discard the error; all others
propagate it automatically.

GHSA-94xm-jj8x-3cr4
This commit is contained in:
kolaente 2026-03-23 12:20:16 +01:00 committed by kolaente
parent be771289db
commit 04704e0fde
1 changed files with 9 additions and 1 deletions

View File

@ -314,7 +314,15 @@ func getUser(s *xorm.Session, user *User, withEmail bool) (userOut *User, err er
userOut.OverdueTasksRemindersTime = "9:00"
}
return userOut, err
if userOut.Status == StatusDisabled {
return userOut, &ErrAccountDisabled{UserID: userOut.ID}
}
if userOut.Status == StatusAccountLocked {
return userOut, &ErrAccountLocked{UserID: userOut.ID}
}
return userOut, nil
}
func getUserByUsernameOrEmail(s *xorm.Session, usernameOrEmail string) (u *User, err error) {