prevent disabled user from using the api

2022-04-27 16:24:38 +02:00 · 2022-04-27 16:24:38 +02:00 · 7b7cb0b571
parent eab7606f93
commit 7b7cb0b571
2 changed files with 22 additions and 0 deletions
--- a/app/api/base.py
+++ b/app/api/base.py
@ -30,6 +30,9 @@ def require_api_auth(f):

            g.user = api_key.user

+        if g.user.disabled:
+            return jsonify(error="Disabled account"), 403
+
        return f(*args, **kwargs)

    return decorated
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@ -612,3 +612,22 @@ def test_toggle_contact(flask_client):

    assert r.status_code == 200
    assert r.json == {"block_forward": True}
+
+
+def test_get_aliases_disabled_account(flask_client):
+    user, api_key = get_new_user_and_api_key()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 200
+
+    user.disabled = True
+    Session.commit()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 403