From d8570c603da1f26635ce6048d6af85ede827abfb Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:07:59 +0100 Subject: [PATCH] fix: prevent password reset from re-enabling admin-disabled accounts --- pkg/user/user_password_reset.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/user/user_password_reset.go b/pkg/user/user_password_reset.go index f92d8895b..431c1fe47 100644 --- a/pkg/user/user_password_reset.go +++ b/pkg/user/user_password_reset.go @@ -70,7 +70,13 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err err return } - user.Status = StatusActive + if user.Status == StatusDisabled { + return 0, &ErrAccountDisabled{UserID: user.ID} + } + + if user.Status == StatusAccountLocked || user.Status == StatusEmailConfirmationRequired { + user.Status = StatusActive + } _, err = s. Cols("password", "status"). Where("id = ?", user.ID).