-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix blocked users being able to sign in using forgot password #10787
Conversation
Signed-off-by: Derrick Mehaffy <derrickmehaffy@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #10787 +/- ##
=======================================
Coverage 58.12% 58.12%
=======================================
Files 185 185
Lines 6429 6429
Branches 1395 1395
=======================================
Hits 3737 3737
Misses 2230 2230
Partials 462 462
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
@@ -310,6 +310,11 @@ module.exports = { | |||
); | |||
} | |||
|
|||
// User blocked | |||
if (user.blocked) { | |||
return ctx.badRequest('blocked.user'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use the same format as line 304? Thus the message can be directly displayed in the front!
(and if you can fix the missing "a" line 286 too :p)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM :)
Signed-off-by: Derrick Mehaffy derrickmehaffy@gmail.com
What does it do?
Adds a check in the forgot password controller to see if a user is blocked and return the valid error message if they are
Why is it needed?
Blocked users should not be able to perform any request at all
How to test it?
Create a user, set them as blocked, and attempt to send a password reset request
Related issue(s)/PR(s)
fixes #10776