From 0ec5aeb8a76653935caefa0de92861269f98f343 Mon Sep 17 00:00:00 2001 From: Lain Iwakura Date: Thu, 7 Dec 2017 17:41:34 +0100 Subject: [PATCH] Don't log in deactivated users. --- lib/pleroma/plugs/authentication_plug.ex | 1 + lib/pleroma/plugs/oauth_plug.ex | 3 ++- test/plugs/authentication_plug_test.exs | 27 ++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/plugs/authentication_plug.ex b/lib/pleroma/plugs/authentication_plug.ex index beb02eb88..60f6faf49 100644 --- a/lib/pleroma/plugs/authentication_plug.ex +++ b/lib/pleroma/plugs/authentication_plug.ex @@ -12,6 +12,7 @@ def call(%{assigns: %{user: %User{}}} = conn, _), do: conn def call(conn, opts) do with {:ok, username, password} <- decode_header(conn), {:ok, user} <- opts[:fetcher].(username), + false <- !!user.info["deactivated"], saved_user_id <- get_session(conn, :user_id), {:ok, verified_user} <- verify(user, password, saved_user_id) do diff --git a/lib/pleroma/plugs/oauth_plug.ex b/lib/pleroma/plugs/oauth_plug.ex index 775423bb1..be737dc9a 100644 --- a/lib/pleroma/plugs/oauth_plug.ex +++ b/lib/pleroma/plugs/oauth_plug.ex @@ -16,7 +16,8 @@ def call(conn, _) do end with token when not is_nil(token) <- token, %Token{user_id: user_id} <- Repo.get_by(Token, token: token), - %User{} = user <- Repo.get(User, user_id) do + %User{} = user <- Repo.get(User, user_id), + false <- !!user.info["deactivated"] do conn |> assign(:user, user) else diff --git a/test/plugs/authentication_plug_test.exs b/test/plugs/authentication_plug_test.exs index 9d6c2cd70..5480dab43 100644 --- a/test/plugs/authentication_plug_test.exs +++ b/test/plugs/authentication_plug_test.exs @@ -14,6 +14,13 @@ defp fetch_nil(_name) do password_hash: Comeonin.Pbkdf2.hashpwsalt("guy") } + @deactivated %User{ + id: 1, + name: "dude", + password_hash: Comeonin.Pbkdf2.hashpwsalt("guy"), + info: %{"deactivated" => true} + } + @session_opts [ store: :cookie, key: "_test", @@ -131,6 +138,26 @@ test "it assigns the user", %{conn: conn} do end end + describe "with a correct authorization header for an deactiviated user" do + test "it halts the appication", %{conn: conn} do + opts = %{ + optional: false, + fetcher: fn _ -> @deactivated end + } + + header = basic_auth_enc("dude", "guy") + + conn = conn + |> Plug.Session.call(Plug.Session.init(@session_opts)) + |> fetch_session + |> put_req_header("authorization", header) + |> AuthenticationPlug.call(opts) + + assert conn.status == 403 + assert conn.halted == true + end + end + describe "with a user_id in the session for an existing user" do test "it assigns the user", %{conn: conn} do opts = %{