Enhance password reset flow to include checks for inactive user

Author: marcoAntonioNina

ProcessMaker/Http/Controllers/Auth/ForgotPasswordController.php

@@ -35,7 +35,7 @@ public function __construct()
 
     /**
      * Send a reset link to the given user.
-     * Blocked users will not receive the reset email for security reasons.
+     * Blocked or inactive users will not receive the reset email for security reasons.
      *
      * @param  Request  $request
      * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
@@ -46,7 +46,7 @@ public function sendResetLinkEmail(Request $request)
 
         $user = User::where('email', $request->input('email'))->first();
 
-        if ($user && $user->status === 'BLOCKED') {
+        if ($user && ($user->status === 'BLOCKED' || $user->status === 'INACTIVE')) {
             return $this->sendResetLinkResponse($request, Password::RESET_LINK_SENT);
         }
 

ProcessMaker/Http/Controllers/Auth/ResetPasswordController.php

@@ -55,6 +55,11 @@ public function showResetForm(Request $request, $token)
                 ->withErrors(['email' => __('passwords.blocked')]);
         }
 
+        if ($user->status === 'INACTIVE') {
+            return redirect()->route('password.request')
+                ->withErrors(['email' => __('passwords.inactive')]);
+        }
+
         return view('auth.passwords.reset', [
             'username' => $user->username,
             'token' => $token,
@@ -64,7 +69,7 @@ public function showResetForm(Request $request, $token)
 
     /**
      * Reset the given user's password.
-     * Blocked users cannot reset their password.
+     * Blocked or inactive users cannot reset their password.
      *
      * @param  Request  $request
      * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
@@ -77,6 +82,10 @@ public function reset(Request $request)
             return $this->sendResetFailedResponse($request, 'passwords.blocked');
         }
 
+        if ($user && $user->status === 'INACTIVE') {
+            return $this->sendResetFailedResponse($request, 'passwords.inactive');
+        }
+
         return $this->performPasswordReset($request);
     }
 }

resources/lang/en.json

@@ -1547,6 +1547,7 @@
   "passwords.token": "This password reset token is invalid.",
   "passwords.user": "We can't find a user with that e-mail address.",
   "passwords.blocked": "Your account has been blocked. Please contact your administrator.",
+  "passwords.inactive": "Your account is inactive. Please contact your administrator.",
   "Pause Start Timer Events": "Pause Start Timer Events",
   "Pause Timer Start Events": "Pause Timer Start Events",
   "per page": "per page",

resources/lang/en/passwords.php

@@ -19,5 +19,6 @@
     'token' => 'This password reset token is invalid.',
     'user' => "We can't find a user with that email address.",
     'blocked' => 'Your account has been blocked. Please contact your administrator.',
+    'inactive' => 'Your account is inactive. Please contact your administrator.',
 
 ];

tests/Feature/Auth/PasswordResetTest.php

@@ -29,6 +29,23 @@ public function testForgotPasswordDoesNotNotifyBlockedUser(): void
         Notification::assertNothingSent();
     }
 
+    public function testForgotPasswordDoesNotNotifyInactiveUser(): void
+    {
+        Notification::fake();
+
+        $user = User::factory()->create([
+            'email' => 'inactive-forgot@example.com',
+            'status' => 'INACTIVE',
+        ]);
+
+        $response = $this->post(route('password.email'), [
+            'email' => $user->email,
+        ]);
+
+        $response->assertSessionHas('status');
+        Notification::assertNothingSent();
+    }
+
     public function testForgotPasswordSendsNotificationToActiveUser(): void
     {
         Notification::fake();
@@ -57,7 +74,25 @@ public function testShowResetFormRedirectsBlockedUserToRequestForm(): void
         $response = $this->get($url . '?email=' . urlencode($user->email));
 
         $response->assertRedirect(route('password.request'));
-        $response->assertSessionHasErrors('email');
+        $response->assertSessionHasErrors([
+            'email' => __('passwords.blocked'),
+        ]);
+    }
+
+    public function testShowResetFormRedirectsInactiveUserToRequestForm(): void
+    {
+        $user = User::factory()->create([
+            'email' => 'inactive-reset-form@example.com',
+            'status' => 'INACTIVE',
+        ]);
+
+        $url = route('password.reset', ['token' => 'unused-token']);
+        $response = $this->get($url . '?email=' . urlencode($user->email));
+
+        $response->assertRedirect(route('password.request'));
+        $response->assertSessionHasErrors([
+            'email' => __('passwords.inactive'),
+        ]);
     }
 
     public function testShowResetFormDisplaysForActiveUser(): void
@@ -97,6 +132,25 @@ public function testResetPasswordRejectsBlockedUser(): void
         ]);
     }
 
+    public function testResetPasswordRejectsInactiveUser(): void
+    {
+        $user = User::factory()->create([
+            'email' => 'inactive-reset-post@example.com',
+            'status' => 'INACTIVE',
+        ]);
+
+        $response = $this->from(route('password.request'))->post('/password/reset', [
+            'token' => 'will-not-be-used',
+            'email' => $user->email,
+            'password' => 'NewPassword123!',
+            'password_confirmation' => 'NewPassword123!',
+        ]);
+
+        $response->assertSessionHasErrors([
+            'email' => __('passwords.inactive'),
+        ]);
+    }
+
     public function testResetPasswordUpdatesPasswordForActiveUser(): void
     {
         /** @var User $user */