From 3e983e3557ea5029232e6a1c7051ae3e995c68a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?= <adria.casajus@proton.ch>
Date: Thu, 17 Feb 2022 17:23:38 +0100
Subject: [PATCH] Only allow authenticated and enabled users to accept a OAuth
 post request

---
 app/oauth/views/authorize.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/oauth/views/authorize.py b/app/oauth/views/authorize.py
index c7f1240d..17f7b368 100644
--- a/app/oauth/views/authorize.py
+++ b/app/oauth/views/authorize.py
@@ -1,7 +1,7 @@
 from typing import Dict
 from urllib.parse import urlparse
 
-from flask import request, render_template, redirect, flash
+from flask import request, render_template, redirect, flash, url_for
 from flask_login import current_user
 from itsdangerous import SignatureExpired
 
@@ -144,6 +144,12 @@ def authorize():
                 Scope=Scope,
             )
     else:  # POST - user allows or denies
+        if not current_user.is_authenticated or not current_user.is_enabled:
+            LOG.i(
+                "Attempt to validate a OAUth allow request by an unauthenticated user"
+            )
+            return redirect(url_for("auth.login", next=request.url))
+
         if request.form.get("button") == "deny":
             LOG.d("User %s denies Client %s", current_user, client)
             final_redirect_uri = f"{redirect_uri}?error=deny&state={state}"