fix: prevent invisible-status bypass via statusDefault fallback

Author: ricardogarim

apps/meteor/app/api/server/v1/users.ts

@@ -2008,12 +2008,6 @@ API.v1
 				});
 			}
 
-			if (this.bodyParams.status === 'offline' && !settings.get('Accounts_AllowInvisibleStatusOption')) {
-				throw new Meteor.Error('error-status-not-allowed', 'Invisible status is disabled', {
-					method: 'users.setStatus',
-				});
-			}
-
 			const { status, message, expiresAt } = this.bodyParams;
 
 			const statusExpiresAt = expiresAt ? new Date(expiresAt) : undefined;
@@ -2025,8 +2019,15 @@ API.v1
 
 			// If status is missing (message-only update), keep the user's chosen status (statusDefault),
 			// not the computed status — otherwise a transient auto-away/offline gets pinned as a manual claim.
-			const statusToUpdate = status || user.statusDefault || ('online' as UserStatus);
-			await Presence.setStatus(user._id, statusToUpdate, message, statusExpiresAt);
+			const effectiveStatus = status || user.statusDefault || ('online' as UserStatus);
+
+			if (effectiveStatus === 'offline' && !settings.get('Accounts_AllowInvisibleStatusOption')) {
+				throw new Meteor.Error('error-status-not-allowed', 'Invisible status is disabled', {
+					method: 'users.setStatus',
+				});
+			}
+
+			await Presence.setStatus(user._id, effectiveStatus, message, statusExpiresAt);
 
 			if (status) {
 				void wrapExceptions(() => Calendar.cancelUpcomingStatusChanges(user._id)).suppress();

apps/meteor/app/user-status/server/methods/setUserStatus.ts

@@ -24,15 +24,15 @@ export const setUserStatusMethod = async (
 		});
 	}
 
-	if (statusType === UserStatus.OFFLINE && !settings.get('Accounts_AllowInvisibleStatusOption')) {
+	const effectiveStatus = statusType || user.statusDefault || UserStatus.ONLINE;
+
+	if (effectiveStatus === UserStatus.OFFLINE && !settings.get('Accounts_AllowInvisibleStatusOption')) {
 		throw new Meteor.Error('error-status-not-allowed', 'Invisible status is disabled', {
 			method: 'setUserStatus',
 		});
 	}
 
-	// If only the status message changes (no statusType), use the user's statusDefault (their chosen status).
-	// This avoids overwriting transient status (auto-away, offline) with a manual claim.
-	await Presence.setStatus(user._id, statusType || user.statusDefault || UserStatus.ONLINE, statusText);
+	await Presence.setStatus(user._id, effectiveStatus, statusText);
 };
 
 Meteor.methods<ServerMethods>({

apps/meteor/tests/end-to-end/api/users.ts

@@ -5713,6 +5713,23 @@ describe('[Users]', () => {
 
 			await updateSetting('Accounts_AllowInvisibleStatusOption', true);
 		});
+		it('should reject a message-only update when status resolves to offline via statusDefault and "Accounts_AllowInvisibleStatusOption" is disabled', async () => {
+			await updateSetting('Accounts_AllowInvisibleStatusOption', true);
+			await request.post(api('users.setStatus')).set(credentials).send({ status: 'offline' }).expect(200);
+			await updateSetting('Accounts_AllowInvisibleStatusOption', false);
+
+			await request
+				.post(api('users.setStatus'))
+				.set(credentials)
+				.send({ message: 'still trying to stay invisible' })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body.errorType).to.be.equal('error-status-not-allowed');
+				});
+
+			await updateSetting('Accounts_AllowInvisibleStatusOption', true);
+		});
 		it('should return an error when the payload is missing all supported fields', (done) => {
 			void request
 				.post(api('users.setStatus'))