fix: suspended users should not be able to login

Signed-off-by: Kevin Morris <kevr@0cost.org>

aurweb/routers/auth.py

@@ -46,13 +46,19 @@ async def login_post(request: Request,
         raise HTTPException(status_code=HTTPStatus.BAD_REQUEST,
                             detail=_("Bad Referer header."))
 
-    user = db.query(User).filter(
-        or_(User.Username == user, User.Email == user)
-    ).first()
+    with db.begin():
+        user = db.query(User).filter(
+            or_(User.Username == user, User.Email == user)
+        ).first()
+
     if not user:
         return await login_template(request, next,
                                     errors=["Bad username or password."])
 
+    if user.Suspended:
+        return await login_template(request, next,
+                                    errors=["Account Suspended"])
+
     cookie_timeout = cookies.timeout(remember_me)
     sid = user.login(request, passwd, cookie_timeout)
     if not sid:

test/test_auth_routes.py

@@ -14,6 +14,7 @@ from aurweb.asgi import app
 from aurweb.models.account_type import USER_ID
 from aurweb.models.session import Session
 from aurweb.models.user import User
+from aurweb.testing.html import get_errors
 
 # Some test global constants.
 TEST_USERNAME = "test"
@@ -79,6 +80,21 @@ def test_login_logout(client: TestClient, user: User):
     assert "AURSID" not in response.cookies
 
 
+def test_login_suspended(client: TestClient, user: User):
+    with db.begin():
+        user.Suspended = 1
+
+    data = {
+        "user": user.Username,
+        "passwd": "testPassword",
+        "next": "/"
+    }
+    with client as request:
+        resp = request.post("/login", data=data)
+    errors = get_errors(resp.text)
+    assert errors[0].text.strip() == "Account Suspended"
+
+
 def test_login_email(client: TestClient, user: user):
     post_data = {
         "user": user.Email,