Disallow password resets for deactivated accounts.

Ensure all responses to password reset events are identical.
2020-09-02 09:09:13 -05:00 · 2020-09-02 09:09:13 -05:00 · cbf7f0e029
commit cbf7f0e029
parent d6e979aebe
4 changed files with 23 additions and 27 deletions
--- a/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
+++ b/lib/pleroma/web/mastodon_api/controllers/auth_controller.ex
@ -59,17 +59,11 @@ defmodule Pleroma.Web.MastodonAPI.AuthController do
  def password_reset(conn, params) do
    nickname_or_email = params["email"] || params["nickname"]

-    with {:ok, _} <- TwitterAPI.password_reset(nickname_or_email) do
-      conn
-      |> put_status(:no_content)
-      |> json("")
-    else
-      {:error, "unknown user"} ->
-        send_resp(conn, :not_found, "")
+    TwitterAPI.password_reset(nickname_or_email)

-      {:error, _} ->
-        send_resp(conn, :bad_request, "")
-    end
+    conn
+    |> put_status(:no_content)
+    |> json("")
  end

  defp local_mastodon_root_path(conn) do
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@ -72,7 +72,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do

  def password_reset(nickname_or_email) do
    with true <- is_binary(nickname_or_email),
-         %User{local: true, email: email} = user when is_binary(email) <-
+         %User{local: true, email: email, deactivated: false} = user when is_binary(email) <-
           User.get_by_nickname_or_email(nickname_or_email),
         {:ok, token_record} <- Pleroma.PasswordResetToken.create_token(user) do
      user
@ -81,17 +81,8 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do

      {:ok, :enqueued}
    else
-      false ->
-        {:error, "bad user identifier"}
-
-      %User{local: true, email: nil} ->
+      _ ->
        {:ok, :noop}
-
-      %User{local: false} ->
-        {:error, "remote user"}
-
-      nil ->
-        {:error, "unknown user"}
    end
  end