No password reset for disabled users

Signed-off-by: Joas Schilling <coding@schilljs.com>

1 files changed, 12 insertions, 3 deletions

diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index 59a4e0b2534..d23a6c2970d 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -167,7 +167,7 @@ class LostController extends Controller {
 	 */
 	protected function checkPasswordResetToken($token, $userId) {
 		$user = $this->userManager->get($userId);
-		if($user === null) {
+		if($user === null || !$user->isEnabled()) {
 			throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
 		}
 
@@ -340,16 +340,25 @@ class LostController extends Controller {
 	/**
 	 * @param string $input
 	 * @return IUser
-	 * @throws \Exception
+	 * @throws \InvalidArgumentException
 	 */
 	protected function findUserByIdOrMail($input) {
 		$user = $this->userManager->get($input);
 		if ($user instanceof IUser) {
+			if (!$user->isEnabled()) {
+				throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));
+			}
+
 			return $user;
 		}
 		$users = $this->userManager->getByEmail($input);
 		if (count($users) === 1) {
-			return $users[0];
+			$user = $users[0];
+			if (!$user->isEnabled()) {
+				throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));
+			}
+
+			return $user;
 		}
 
 		throw new \InvalidArgumentException($this->l10n->t('Couldn\'t send reset email. Please make sure your username is correct.'));