From 2d0af812b1a81c788182e76fff0c59e7aa6554b8 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Sat, 12 Nov 2022 09:58:58 -0500
Subject: [PATCH] Don't send password reset emails to deleted user accounts

---
 mod/lostpass.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mod/lostpass.php b/mod/lostpass.php
index 62b621b8c..f840f2fb6 100644
--- a/mod/lostpass.php
+++ b/mod/lostpass.php
@@ -34,7 +34,7 @@ function lostpass_post(App $a)
 		DI::baseUrl()->redirect();
 	}
 
-	$condition = ['(`email` = ? OR `nickname` = ?) AND `verified` = 1 AND `blocked` = 0', $loginame, $loginame];
+	$condition = ['(`email` = ? OR `nickname` = ?) AND `verified` = 1 AND `blocked` = 0 AND `account_removed` = 0 AND `account_expired` = 0', $loginame, $loginame];
 	$user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'language'], $condition);
 	if (!DBA::isResult($user)) {
 		DI::sysmsg()->addNotice(DI::l10n()->t('No valid account found.'));