fix(auth): skip profile updates for disabled LDAP users

When a disabled/locked LDAP user authenticates, return early from
getOrCreateLdapUser without updating their profile info or syncing
avatar. The login handler already rejects them, but this avoids
unnecessary database writes.

Ref: GHSA-94xm-jj8x-3cr4
This commit is contained in:
kolaente 2026-03-23 16:10:46 +01:00 committed by kolaente
parent 033922309f
commit fd452b9cb6
1 changed files with 5 additions and 0 deletions

View File

@ -268,6 +268,11 @@ func getOrCreateLdapUser(s *xorm.Session, entry *ldap.Entry) (u *user.User, err
return nil, err
}
// If the user exists but is disabled/locked, return early without updating profile
if user.IsErrUserStatusError(err) {
return u, nil
}
// If no user exists, create one with the preferred username if it is not already taken
if user.IsErrUserDoesNotExist(err) {
uu := &user.User{