m_sasl: don't allow logging into unconfirmed accounts

2 files changed, 4 insertions, 2 deletions

diff --git a/include/modules/sasl.h b/include/modules/sasl.h
index e2c832c7b..249a4c3b0 100644
--- a/include/modules/sasl.h
+++ b/include/modules/sasl.h
@@ -88,7 +88,7 @@ namespace SASL
 				return;
 
 			NickAlias *na = NickAlias::Find(GetAccount());
-			if (!na || na->nc->HasExt("NS_SUSPENDED"))
+			if (!na || na->nc->HasExt("NS_SUSPENDED") || na->nc->HasExt("UNCONFIRMED"))
 				return OnFail();
 
 			unsigned int maxlogins = Config->GetModule("ns_identify")->Get<unsigned int>("maxlogins");
@@ -126,6 +126,8 @@ namespace SASL
 				accountstatus = "nonexistent ";
 			else if (na->nc->HasExt("NS_SUSPENDED"))
 				accountstatus = "suspended ";
+			else if (na->nc->HasExt("UNCONFIRMED"))
+				accountstatus = "unconfirmed ";
 
 			Anope::string user = "A user";
 			if (!hostname.empty() && !ip.empty())
diff --git a/modules/m_sasl.cpp b/modules/m_sasl.cpp
index 7ec294575..cbda5d64c 100644
--- a/modules/m_sasl.cpp
+++ b/modules/m_sasl.cpp
@@ -109,7 +109,7 @@ class External : public Mechanism
 				user = mysess->hostname + " (" + mysess->ip + ")";
 
 			NickCore *nc = certs->FindAccountFromCert(mysess->cert);
-			if (!nc || nc->HasExt("NS_SUSPENDED"))
+			if (!nc || nc->HasExt("NS_SUSPENDED") || nc->HasExt("UNCONFIRMED"))
 			{
 				Log(Config->GetClient("NickServ"), "sasl") << user << " failed to identify using certificate " << mysess->cert << " using SASL EXTERNAL";
 				sasl->Fail(sess);