No password reset for disabled users

Signed-off-by: Joas Schilling <coding@schilljs.com>

core/Controller/LostController.php

@@ -167,7 +167,7 @@ class LostController extends Controller {
 	 */
 	protected function checkPasswordResetToken($token, $userId) {
 		$user = $this->userManager->get($userId);
-		if($user === null) {
+		if($user === null || !$user->isEnabled()) {
 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
 		}
 
@@ -340,16 +340,25 @@ class LostController extends Controller {
 	/**
 	 * @param string $input
 	 * @return IUser
-	 * @throws \Exception
+	 * @throws \InvalidArgumentException
 	 */
 	protected function findUserByIdOrMail($input) {
 		$user = $this->userManager->get($input);
 		if ($user instanceof IUser) {
+			if (!$user->isEnabled()) {
+				throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));
+			}
+
 			return $user;
 		}
 		$users = $this->userManager->getByEmail($input);
 		if (count($users) === 1) {
-			return $users[0];
+			$user = $users[0];
+			if (!$user->isEnabled()) {
+				throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));
+			}
+
+			return $user;
 		}
 
 		throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));

tests/Core/Controller/LostControllerTest.php

@@ -84,6 +84,9 @@ class LostControllerTest extends \Test\TestCase {
 		$this->existingUser->expects($this->any())
 			->method('getUID')
 			->willReturn('ExistingUser');
+		$this->existingUser->expects($this->any())
+			->method('isEnabled')
+			->willReturn(true);
 
 		$this->config = $this->createMock(IConfig::class);
 		$this->config->expects($this->any())
@@ -684,8 +687,34 @@ class LostControllerTest extends \Test\TestCase {
 		$this->assertSame($expectedResponse, $response);
 	}
 
+	public function testSetPasswordForDisabledUser() {
+		$user = $this->createMock(IUser::class);
+		$user->expects($this->any())
+			->method('isEnabled')
+			->willReturn(false);
+		$user->expects($this->never())
+			->method('setPassword');
+
+		$this->config->method('getUserValue')
+			->with('ValidTokenUser', 'core', 'lostpassword', null)
+			->willReturn('encryptedData');
+		$this->userManager->method('get')
+			->with('DisabledUser')
+			->willReturn($this->existingUser);
+
+		$response = $this->lostController->setPassword('TheOnlyAndOnlyOneTokenToResetThePassword', 'DisabledUser', 'NewPassword', true);
+		$expectedResponse = [
+			'status' => 'error',
+			'msg' => 'Couldn\'t reset password because the token is invalid'
+			];
+		$this->assertSame($expectedResponse, $response);
+	}
+
 	public function testSendEmailNoEmail() {
 		$user = $this->createMock(IUser::class);
+		$user->expects($this->any())
+			->method('isEnabled')
+			->willReturn(true);
 		$this->userManager->method('userExists')
 			->with('ExistingUser')
 			->willReturn(true);