Prevent password reset for not activated user

2016-04-04 13:54:22 +02:00
parent bbaf4c77fd
commit c8604e95ab
1 changed files with 2 additions and 0 deletions
@@ -350,6 +350,8 @@ function passwordReset(req, res, next) {
    user.getByResetToken(req.body.resetToken, function (error, userObject) {
        if (error) return next(new HttpError(401, 'Invalid resetToken'));

+        if (!userObject.username) return next(new HttpError(401, 'No username set'));
+
        // setPassword clears the resetToken
        user.setPassword(userObject.id, req.body.password, function (error, result) {
            if (error && error.reason === UserError.BAD_PASSWORD) return next(new HttpError(406, 'Password does not meet the requirements'));