From fd452b9cb6457fd4f9936527a14c359818f1cca7 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:10:46 +0100 Subject: [PATCH] fix(auth): skip profile updates for disabled LDAP users When a disabled/locked LDAP user authenticates, return early from getOrCreateLdapUser without updating their profile info or syncing avatar. The login handler already rejects them, but this avoids unnecessary database writes. Ref: GHSA-94xm-jj8x-3cr4 --- pkg/modules/auth/ldap/ldap.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/modules/auth/ldap/ldap.go b/pkg/modules/auth/ldap/ldap.go index d14a625e2..a1d79a63a 100644 --- a/pkg/modules/auth/ldap/ldap.go +++ b/pkg/modules/auth/ldap/ldap.go @@ -268,6 +268,11 @@ func getOrCreateLdapUser(s *xorm.Session, entry *ldap.Entry) (u *user.User, err return nil, err } + // If the user exists but is disabled/locked, return early without updating profile + if user.IsErrUserStatusError(err) { + return u, nil + } + // If no user exists, create one with the preferred username if it is not already taken if user.IsErrUserDoesNotExist(err) { uu := &user.User{