From c8604e95ab851e68d9d4f1e2235dcdd227f0cb41 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Mon, 4 Apr 2016 13:54:22 +0200
Subject: [PATCH] Prevent password reset for not activated user

---
 src/routes/oauth2.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index dfe2e27a3..611126c72 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -350,6 +350,8 @@ function passwordReset(req, res, next) {
     user.getByResetToken(req.body.resetToken, function (error, userObject) {
         if (error) return next(new HttpError(401, 'Invalid resetToken'));
 
+        if (!userObject.username) return next(new HttpError(401, 'No username set'));
+
         // setPassword clears the resetToken
         user.setPassword(userObject.id, req.body.password, function (error, result) {
             if (error && error.reason === UserError.BAD_PASSWORD) return next(new HttpError(406, 'Password does not meet the requirements'));