fix: prevent password reset on disabled account

server/models/users.js

@@ -499,6 +499,10 @@ module.exports = class User extends Model {
     })
 
     if (usr) {
+      if (!usr.isActive) {
+        throw new WIKI.Error.AuthAccountBanned()
+      }
+      
       await WIKI.models.users.query().patch({
         password: newPassword,
         mustChangePwd: false
@@ -527,6 +531,9 @@ module.exports = class User extends Model {
     if (!usr) {
       WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
       return
+    } else if (!usr.isActive) {
+      WIKI.logger.debug(`Password reset attempt on disabled local account ${email}: [DISCARDED]`)
+      return
     }
     const resetToken = await WIKI.models.userKeys.generateToken({
       userId: usr.id,