Hi all,
this is a general observation and security remark: if a user account is disabled, but the password reset function is on, the disabled user can reset his/her password. If in addition the user had the system manager role, he/she is able to enable the user after setting a new password. (Observed in ERPNExt v9.0.6)
In my perspective, disabling of users is used to prevent access to the system. The purpose of this is defeated if the user can gain access to the system again. Therefore, in my opinion, the reset password function should not work if a user is disabled (same as login is prevented when the user is disabled). Alternatively, an option “Blocked” should be added to the user.
Any thoughts on this? Should I raise a pull request?