fix: prevent password reset from re-enabling admin-disabled accounts

This commit is contained in:
kolaente 2026-03-20 10:07:59 +01:00 committed by kolaente
parent 4c80932b64
commit d8570c603d
1 changed files with 7 additions and 1 deletions

View File

@ -70,7 +70,13 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err err
return
}
user.Status = StatusActive
if user.Status == StatusDisabled {
return 0, &ErrAccountDisabled{UserID: user.ID}
}
if user.Status == StatusAccountLocked || user.Status == StatusEmailConfirmationRequired {
user.Status = StatusActive
}
_, err = s.
Cols("password", "status").
Where("id = ?", user.ID).