Commit d1ce87a8 authored by Elouan Martinet's avatar Elouan Martinet
Browse files

[tools] Check that the user is activated when authenticating

parent d24836491477
......@@ -167,8 +167,6 @@ def authenticate_user(session, tokenid, signed_content, signature):
:signature: the signature (usually extracted from the headers
using get_credentals_from_headers), as *bytes*
Warning: it does not check whether the user is enabled or not.
Returns the user's eid on success.
"""
......@@ -176,7 +174,9 @@ def authenticate_user(session, tokenid, signed_content, signature):
rset = session.execute('Any U, K WHERE T token_for_user U, '
' T token K, '
' T enabled True, '
' T id %(id)s',
' T id %(id)s, '
' U in_state ST, '
' ST name "activated"',
{'id': tokenid})
if not rset:
return
......
......@@ -185,3 +185,22 @@ class SignedRequestBaseTC(object):
url='/testauth?key1=value1'
)
self._assert_auth(req, result)
def test_deactivated_user(self):
with self.admin_access.repo_cnx() as cnx:
user = cnx.find("CWUser", login="admin").one()
flowable = user.cw_adapt_to("IWorkflowable")
flowable.fire_transition("deactivate")
cnx.commit()
result, req = self._test_header_format(
method="Cubicweb", login="admin")
self._assert_auth_failed(req, result)
flowable.fire_transition("activate")
cnx.commit()
result, req = self._test_header_format(
method="Cubicweb", login="admin")
self._assert_auth(req, result)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment