Commit 1833a56c authored by ale's avatar ale

Do not allow account recovery for inactive users

parent e2364a1a
Pipeline #5127 passed with stages
in 4 minutes and 17 seconds
......@@ -145,6 +145,11 @@ func (r *AccountRecoveryRequest) PopulateContext(rctx *RequestContext) error {
// Authorize the request.
func (r *AccountRecoveryRequest) Authorize(rctx *RequestContext) error {
// The user must be in the 'active' state.
if rctx.User.Status != UserStatusActive {
return errors.New("user is not active")
// Anyone can request the hint (rate-limit above this layer).
if r.RecoveryPassword == "" {
return nil
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment