Merge pull request #936 from simple-login/disable-user-cannot-use-api

prevent disabled user from using the api
2022-04-28 12:13:14 +02:00 · 2022-04-28 12:13:14 +02:00 · 93ae82aa46
parent b85f0952a5 7b7cb0b571
commit 93ae82aa46
2 changed files with 22 additions and 0 deletions
--- a/app/api/base.py
+++ b/app/api/base.py
@ -30,6 +30,9 @@ def require_api_auth(f):

            g.user = api_key.user

+        if g.user.disabled:
+            return jsonify(error="Disabled account"), 403
+
        return f(*args, **kwargs)

    return decorated
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@ -612,3 +612,22 @@ def test_toggle_contact(flask_client):

    assert r.status_code == 200
    assert r.json == {"block_forward": True}
+
+
+def test_get_aliases_disabled_account(flask_client):
+    user, api_key = get_new_user_and_api_key()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 200
+
+    user.disabled = True
+    Session.commit()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 403