Verified Commit 7cc20cd9 authored by Kevin Morris's avatar Kevin Morris
Browse files

fix: suspended users should not be able to login

Signed-off-by: Kevin Morris's avatarKevin Morris <>
parent e43e1c6d
......@@ -46,13 +46,19 @@ async def login_post(request: Request,
raise HTTPException(status_code=HTTPStatus.BAD_REQUEST,
detail=_("Bad Referer header."))
user = db.query(User).filter(
or_(User.Username == user, User.Email == user)
with db.begin():
user = db.query(User).filter(
or_(User.Username == user, User.Email == user)
if not user:
return await login_template(request, next,
errors=["Bad username or password."])
if user.Suspended:
return await login_template(request, next,
errors=["Account Suspended"])
cookie_timeout = cookies.timeout(remember_me)
sid = user.login(request, passwd, cookie_timeout)
if not sid:
......@@ -14,6 +14,7 @@ from aurweb.asgi import app
from aurweb.models.account_type import USER_ID
from aurweb.models.session import Session
from aurweb.models.user import User
from aurweb.testing.html import get_errors
# Some test global constants.
......@@ -79,6 +80,21 @@ def test_login_logout(client: TestClient, user: User):
assert "AURSID" not in response.cookies
def test_login_suspended(client: TestClient, user: User):
with db.begin():
user.Suspended = 1
data = {
"user": user.Username,
"passwd": "testPassword",
"next": "/"
with client as request:
resp ="/login", data=data)
errors = get_errors(resp.text)
assert errors[0].text.strip() == "Account Suspended"
def test_login_email(client: TestClient, user: user):
post_data = {
"user": user.Email,
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment