From 04704e0fde4b027039cf583110cee7afe136fc1b Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 12:20:16 +0100 Subject: [PATCH] fix(user): reject disabled/locked users in getUser by default getUser now returns ErrAccountDisabled or ErrAccountLocked (alongside the full user object) for users with StatusDisabled or StatusAccountLocked. Callers that need disabled/locked users discard the error; all others propagate it automatically. GHSA-94xm-jj8x-3cr4 --- pkg/user/user.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/user/user.go b/pkg/user/user.go index 53a9b8121..d1bd45b50 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -314,7 +314,15 @@ func getUser(s *xorm.Session, user *User, withEmail bool) (userOut *User, err er userOut.OverdueTasksRemindersTime = "9:00" } - return userOut, err + if userOut.Status == StatusDisabled { + return userOut, &ErrAccountDisabled{UserID: userOut.ID} + } + + if userOut.Status == StatusAccountLocked { + return userOut, &ErrAccountLocked{UserID: userOut.ID} + } + + return userOut, nil } func getUserByUsernameOrEmail(s *xorm.Session, usernameOrEmail string) (u *User, err error) {