Password reset on a disabled account

Hi all,

this is a general observation and security remark: if a user account is disabled, but the password reset function is on, the disabled user can reset his/her password. If in addition the user had the system manager role, he/she is able to enable the user after setting a new password. (Observed in ERPNExt v9.0.6)

In my perspective, disabling of users is used to prevent access to the system. The purpose of this is defeated if the user can gain access to the system again. Therefore, in my opinion, the reset password function should not work if a user is disabled (same as login is prevented when the user is disabled). Alternatively, an option “Blocked” should be added to the user.

Any thoughts on this? Should I raise a pull request?

Hi @lasalesi,
It would be great if you could send in a pull request on github.

Thanks @shreya115 for creating the related issue on Password reset shouldn't be allowed on a disabled account · Issue #4622 · frappe/frappe · GitHub

Will test out a solution and propose a pull request.

1 Like