Deactivated user can login by requesting password reset

Question

Deactivated user can login by requesting password reset

redactuk opened this issue 3 years ago · 12 comments

Steps on clean laravel-boileplate v8.3.1 install:

Admin deactivates a user
Deactivated user can't login now, but can click 'Forgot your password?' link
Deactivated user then resets password using email link sent, and after changing password is automatically logged in

Pretty sure this is not meant to happen, as if this user then logs out again, once again they can't login as 'deactivated'

Answer 1 · 2022-07-09T04:29:56.000Z

Yes you are right.

A possible solution would be to modify the rules function in the file app\Domains\Auth\Http\Controllers\Frontend\ResetPasswordController.php
to update the 'email' requirement.

        'email' => ['required', 'max:255', 'email',
            Rule::exists(with(new User())->getTable())->where(function ($query) {
                return $query->where('active', '=', true)->whereNotNull('email_verified_at');
            }), ],

Though this would still send the email with token to the user.

Answer 2 · 2022-07-09T06:39:10.000Z

What I was trying to work out is where user is automatically logged in after password reset, as surely that would be the point at which a check is done to see if the user is deactivated? i.e. let them change password, but still block them once that done.

Answer 3 · 2022-07-09T06:44:59.000Z

I think that is in https://github.com/laravel/ui/blob/3.x/auth-backend/ResetsPasswords.php

Answer 4 · 2022-08-08T09:11:27.000Z