fix(auth): skip profile updates for disabled LDAP users
When a disabled/locked LDAP user authenticates, return early from getOrCreateLdapUser without updating their profile info or syncing avatar. The login handler already rejects them, but this avoids unnecessary database writes. Ref: GHSA-94xm-jj8x-3cr4
This commit is contained in:
parent
033922309f
commit
fd452b9cb6
|
|
@ -268,6 +268,11 @@ func getOrCreateLdapUser(s *xorm.Session, entry *ldap.Entry) (u *user.User, err
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// If the user exists but is disabled/locked, return early without updating profile
|
||||
if user.IsErrUserStatusError(err) {
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// If no user exists, create one with the preferred username if it is not already taken
|
||||
if user.IsErrUserDoesNotExist(err) {
|
||||
uu := &user.User{
|
||||
|
|
|
|||
Loading…
Reference in New Issue