fix(user): reject disabled/locked users in getUser by default
getUser now returns ErrAccountDisabled or ErrAccountLocked (alongside the full user object) for users with StatusDisabled or StatusAccountLocked. Callers that need disabled/locked users discard the error; all others propagate it automatically. GHSA-94xm-jj8x-3cr4
This commit is contained in:
parent
be771289db
commit
04704e0fde
|
|
@ -314,7 +314,15 @@ func getUser(s *xorm.Session, user *User, withEmail bool) (userOut *User, err er
|
|||
userOut.OverdueTasksRemindersTime = "9:00"
|
||||
}
|
||||
|
||||
return userOut, err
|
||||
if userOut.Status == StatusDisabled {
|
||||
return userOut, &ErrAccountDisabled{UserID: userOut.ID}
|
||||
}
|
||||
|
||||
if userOut.Status == StatusAccountLocked {
|
||||
return userOut, &ErrAccountLocked{UserID: userOut.ID}
|
||||
}
|
||||
|
||||
return userOut, nil
|
||||
}
|
||||
|
||||
func getUserByUsernameOrEmail(s *xorm.Session, usernameOrEmail string) (u *User, err error) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue