Don't log in deactivated users.

This commit is contained in:
Lain Iwakura 2017-12-07 17:41:34 +01:00
parent e31a5ff4af
commit 0ec5aeb8a7
3 changed files with 30 additions and 1 deletions

View file

@ -12,6 +12,7 @@ defmodule Pleroma.Plugs.AuthenticationPlug do
def call(conn, opts) do def call(conn, opts) do
with {:ok, username, password} <- decode_header(conn), with {:ok, username, password} <- decode_header(conn),
{:ok, user} <- opts[:fetcher].(username), {:ok, user} <- opts[:fetcher].(username),
false <- !!user.info["deactivated"],
saved_user_id <- get_session(conn, :user_id), saved_user_id <- get_session(conn, :user_id),
{:ok, verified_user} <- verify(user, password, saved_user_id) {:ok, verified_user} <- verify(user, password, saved_user_id)
do do

View file

@ -16,7 +16,8 @@ defmodule Pleroma.Plugs.OAuthPlug do
end end
with token when not is_nil(token) <- token, with token when not is_nil(token) <- token,
%Token{user_id: user_id} <- Repo.get_by(Token, token: token), %Token{user_id: user_id} <- Repo.get_by(Token, token: token),
%User{} = user <- Repo.get(User, user_id) do %User{} = user <- Repo.get(User, user_id),
false <- !!user.info["deactivated"] do
conn conn
|> assign(:user, user) |> assign(:user, user)
else else

View file

@ -14,6 +14,13 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
password_hash: Comeonin.Pbkdf2.hashpwsalt("guy") password_hash: Comeonin.Pbkdf2.hashpwsalt("guy")
} }
@deactivated %User{
id: 1,
name: "dude",
password_hash: Comeonin.Pbkdf2.hashpwsalt("guy"),
info: %{"deactivated" => true}
}
@session_opts [ @session_opts [
store: :cookie, store: :cookie,
key: "_test", key: "_test",
@ -131,6 +138,26 @@ defmodule Pleroma.Plugs.AuthenticationPlugTest do
end end
end end
describe "with a correct authorization header for an deactiviated user" do
test "it halts the appication", %{conn: conn} do
opts = %{
optional: false,
fetcher: fn _ -> @deactivated end
}
header = basic_auth_enc("dude", "guy")
conn = conn
|> Plug.Session.call(Plug.Session.init(@session_opts))
|> fetch_session
|> put_req_header("authorization", header)
|> AuthenticationPlug.call(opts)
assert conn.status == 403
assert conn.halted == true
end
end
describe "with a user_id in the session for an existing user" do describe "with a user_id in the session for an existing user" do
test "it assigns the user", %{conn: conn} do test "it assigns the user", %{conn: conn} do
opts = %{ opts = %{