REST API password reset for protected user now fails

The endpoint now returns a 403 status code if the user is protected. Fixes #26885
mantisbt · May 2, 2020 · 6210c64 · 6210c64
1 parent 2c237c4
commit 6210c64
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/api/rest/restcore/users_rest.php b/api/rest/restcore/users_rest.php
@@ -107,7 +107,13 @@ function rest_user_reset_password( \Slim\Http\Request $p_request, \Slim\Http\Res
 	);
 
 	$t_command = new UserResetPasswordCommand( $t_data );
-	$t_command->execute();
+	$t_result = $t_command->execute();
+
+	if( $t_result['result'] == UserResetPasswordCommand::RESULT_FAILURE ) {
+		return $p_response
+			->withStatus( HTTP_STATUS_FORBIDDEN )
+			->withJson( array( 'message' => "Cannot reset a protected user's password") );
+	}
 
 	return $p_response->withStatus( HTTP_STATUS_NO_CONTENT );
 }