From 708ccab895a23ed59b330db4a58a441bf5fbfcb2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:08:08 +0100 Subject: [PATCH] fix: reject password reset token requests for disabled users --- pkg/user/user_password_reset.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/user/user_password_reset.go b/pkg/user/user_password_reset.go index 431c1fe47..204cef3c4 100644 --- a/pkg/user/user_password_reset.go +++ b/pkg/user/user_password_reset.go @@ -116,6 +116,10 @@ func RequestUserPasswordResetTokenByEmail(s *xorm.Session, tr *PasswordTokenRequ return } + if user.Status == StatusDisabled { + return &ErrAccountDisabled{UserID: user.ID} + } + return RequestUserPasswordResetToken(s, user) }