Verified Commit 7cc20cd9 authored by Kevin Morris's avatar Kevin Morris
Browse files

fix: suspended users should not be able to login


Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
parent e43e1c6d
......@@ -46,13 +46,19 @@ async def login_post(request: Request,
raise HTTPException(status_code=HTTPStatus.BAD_REQUEST,
detail=_("Bad Referer header."))
user = db.query(User).filter(
or_(User.Username == user, User.Email == user)
).first()
with db.begin():
user = db.query(User).filter(
or_(User.Username == user, User.Email == user)
).first()
if not user:
return await login_template(request, next,
errors=["Bad username or password."])
if user.Suspended:
return await login_template(request, next,
errors=["Account Suspended"])
cookie_timeout = cookies.timeout(remember_me)
sid = user.login(request, passwd, cookie_timeout)
if not sid:
......
......@@ -14,6 +14,7 @@ from aurweb.asgi import app
from aurweb.models.account_type import USER_ID
from aurweb.models.session import Session
from aurweb.models.user import User
from aurweb.testing.html import get_errors
# Some test global constants.
TEST_USERNAME = "test"
......@@ -79,6 +80,21 @@ def test_login_logout(client: TestClient, user: User):
assert "AURSID" not in response.cookies
def test_login_suspended(client: TestClient, user: User):
with db.begin():
user.Suspended = 1
data = {
"user": user.Username,
"passwd": "testPassword",
"next": "/"
}
with client as request:
resp = request.post("/login", data=data)
errors = get_errors(resp.text)
assert errors[0].text.strip() == "Account Suspended"
def test_login_email(client: TestClient, user: user):
post_data = {
"user": user.Email,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment