server/views: Handle disabled user

Author: andras-tim

server/app/models.py

@@ -34,7 +34,7 @@ def is_authenticated(self) -> bool:
 
     # flask-loginmanager
     def is_active(self) -> bool:
-        return True
+        return not self.disabled
 
     # flask-loginmanager
     def is_anonymous(self) -> bool:

server/app/views/common.py

@@ -1,6 +1,6 @@
 from flask import g, request
 from flask.ext.restful import abort
-from flask.ext.login import current_user, login_required as login_required_decorator
+from flask.ext.login import current_user, login_required as login_required_decorator, logout_user
 from functools import wraps
 
 from app import doc_mode, test_mode
@@ -27,6 +27,10 @@ def before_request():
 
     app.logger.debug(request)
 
+    if g.user.is_authenticated() and not g.user.is_active():
+        logout_user()
+        app.logger.debug("before_request: user: %s\nlogged out because is not active" % str(g.user))
+
     if g.user.is_authenticated():
         app.logger.debug("before_request: user: %s\nauthenticated" % str(g.user))
     else:

server/app/views/session.py

@@ -22,17 +22,18 @@ def get(self):
               login_required=False,
               request=ExampleUsers.ADMIN.set(["username", "password"]),
               response=ExampleUsers.ADMIN.get(),
-              status_codes={401: "bad authentication data"})
+              status_codes={401: "bad authentication data or user is disabled"})
     def post(self):
         form = SessionCreateForm()
         if not form.validate_on_submit():
             abort(422, message=form.errors)
 
         user = User.get_user(form.username.data)
         if not user or not user.check_password(form.password.data):
-            login_user(user)
-            return UserSerializer(user).data, 201
-        abort(401)
+            abort(401)
+        if not login_user(user):
+            abort(401)
+        return UserSerializer(user).data, 201
 
     @api_func("Logout user", url_tail="sessions",
               response=None)

server/test/views/test_session.py

@@ -66,3 +66,23 @@ def test_re_login_with_different_user(self):
     def test_logout(self):
         self.assertRequest("delete", "/sessions")
         self.assertRequest("get", "/sessions", expected_status_codes=401)
+
+
+class TestDisabledUser(CommonSessionTest):
+    def setUp(self):
+        super().setUp()
+        self.assertRequestAsAdmin("post", "/users", data=Users.USER1.set())
+        self.assertRequestAsAdmin("put", "/users/%d" % Users.USER1["id"],
+                                  data=Users.USER1.set(change={"disabled": True}))
+        self.assertRequestAsAdmin("post", "/users", data=Users.USER2.set())
+
+    def test_logging_in_with_disabled_user(self):
+        self.assertRequest("post", "/sessions", data=Users.USER1.login(),
+                           expected_status_codes=401)
+
+    def test_logging_out_recently_disabled_user(self):
+        self.assertRequest("post", "/sessions", data=Users.USER2.login(),
+                           expected_status_codes=201)
+        self.assertRequest("put", "/users/%d" % Users.USER2["id"],
+                           data=Users.USER2.set(change={"disabled": True}))
+        self.assertRequest("get", "/sessions", expected_status_codes=401)