From d6991ed11f7cc58f3e958e6e9d21e549445b845b Mon Sep 17 00:00:00 2001
From: Saurav Mishra <saurav.mishra@bizbrolly.com>
Date: Tue, 24 Feb 2026 18:12:21 +0530
Subject: [PATCH] Restrict user when account is locked

---
 .../common/controller/users/IEMRAdminController.java   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java b/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
index 554500f3..fce80930 100644
--- a/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
+++ b/src/main/java/com/iemr/common/controller/users/IEMRAdminController.java
@@ -279,6 +279,16 @@ public ResponseEntity<?> refreshToken(@RequestBody Map<String, String> request)
 			String userId = claims.get("userId", String.class);
 			User user = iemrAdminUserServiceImpl.getUserById(Long.parseLong(userId));
 
+			// validate if user account is locked or de-activated
+			if(user.getDeleted()){
+				logger.warn("Your account is locked or de-activated. Please contact administrator");
+				return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Your account is locked or de-activated. Please contact administrator.");
+			}
+			if(user.getStatusID()>2){
+				logger.warn("Your account is not active. Please contact administrator");
+				return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Your account is not active. Please contact administrator.");
+			}
+
 			// Validate that the user still exists and is active
 			if (user == null) {
 				logger.warn("Token validation failed: user not found for userId in token.");