Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deactivated user can login by requesting password reset #1589

Closed
redactuk opened this issue Jul 8, 2022 · 12 comments
Closed

Deactivated user can login by requesting password reset #1589

redactuk opened this issue Jul 8, 2022 · 12 comments
Labels
wontfix

Comments

@redactuk
Copy link

redactuk commented Jul 8, 2022
edited

Steps on clean laravel-boileplate v8.3.1 install:

  1. Admin deactivates a user
  2. Deactivated user can't login now, but can click 'Forgot your password?' link
  3. Deactivated user then resets password using email link sent, and after changing password is automatically logged in

Pretty sure this is not meant to happen, as if this user then logs out again, once again they can't login as 'deactivated'
@bryanrscott
Copy link
Contributor

Yes you are right.

A possible solution would be to modify the rules function in the file app\Domains\Auth\Http\Controllers\Frontend\ResetPasswordController.php
to update the 'email' requirement.

        'email' => ['required', 'max:255', 'email',
            Rule::exists(with(new User())->getTable())->where(function ($query) {
                return $query->where('active', '=', true)->whereNotNull('email_verified_at');
            }), ],

Though this would still send the email with token to the user.

@redactuk
Copy link
Author

redactuk commented Jul 9, 2022
edited

What I was trying to work out is where user is automatically logged in after password reset, as surely that would be the point at which a check is done to see if the user is deactivated? i.e. let them change password, but still block them once that done.

@bryanrscott
Copy link
Contributor

I think that is in https://github.com/laravel/ui/blob/3.x/auth-backend/ResetsPasswords.php

@stale
Copy link

stale bot commented Aug 8, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Aug 8, 2022
@stale stale bot closed this as completed Aug 15, 2022
@rappasoft rappasoft reopened this Aug 15, 2022
@stale stale bot removed the wontfix label Aug 15, 2022
@stale
Copy link

stale bot commented Sep 14, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 14, 2022
@stale stale bot closed this as completed Sep 22, 2022
@rappasoft rappasoft reopened this Sep 22, 2022
@stale stale bot removed the wontfix label Sep 22, 2022
@stale
Copy link

stale bot commented Oct 23, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Oct 23, 2022
@stale stale bot closed this as completed Oct 31, 2022
@rappasoft rappasoft reopened this Oct 31, 2022
@stale stale bot removed the wontfix label Oct 31, 2022
@stale
Copy link

stale bot commented Dec 2, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Dec 2, 2022
@stale stale bot closed this as completed Dec 9, 2022
@rappasoft rappasoft reopened this Dec 9, 2022
@stale stale bot removed the wontfix label Dec 9, 2022
im-denny added a commit to im-denny/laravel-boilerplate that referenced this issue Dec 26, 2022
@im-denny
Resolve rappasoft#1589 : Deactivated user can login by requesting pas…
f6831aa 
…sword reset
@im-denny im-denny mentioned this issue Dec 26, 2022
Closed
@im-denny
Copy link

im-denny commented Dec 26, 2022
edited

Hello,

I have submitted pull request #1596 addressing this issue.

I wrote few lines of code intervening redirection after successful reset password attempt, which will check for user's active status beforehand proceeding redirection and log them out incase found inactive. I have developed test for the same as well.

@stale
Copy link

stale bot commented Jan 26, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jan 26, 2023
@ccsliinc
Copy link

@im-denny I have made a new pull request to fix this issue. #1599

@stale stale bot removed the wontfix label Jan 26, 2023
@ccsliinc ccsliinc mentioned this issue Jan 26, 2023
Closed
@stale
Copy link

stale bot commented Feb 26, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Feb 26, 2023
@stale stale bot closed this as completed Mar 5, 2023
@rappasoft rappasoft reopened this Mar 5, 2023
@stale stale bot removed the wontfix label Mar 5, 2023
@stale
Copy link

stale bot commented Apr 5, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Apr 5, 2023
@stale stale bot closed this as completed Apr 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Resolve #1589 : Deactivated user can login by requesting password reset im-denny/laravel-boilerplate
5 participants
@bryanrscott @ccsliinc @rappasoft @redactuk @im-denny