From 049f4a6be46f9460bd516f489ef9f569574bc70d Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:13:28 +0100 Subject: [PATCH] fix: prevent email confirmation from re-enabling admin-disabled accounts --- pkg/user/user_email_confirm.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/user/user_email_confirm.go b/pkg/user/user_email_confirm.go index 6e7c72346..f59942a9b 100644 --- a/pkg/user/user_email_confirm.go +++ b/pkg/user/user_email_confirm.go @@ -47,6 +47,10 @@ func ConfirmEmail(s *xorm.Session, c *EmailConfirm) (err error) { return } + if user.Status == StatusDisabled { + return &ErrAccountDisabled{UserID: user.ID} + } + user.Status = StatusActive err = removeTokens(s, user, TokenEmailConfirm) if err != nil {