Check banned status for external auths

2021-02-01 09:24:14 +01:00 · 2021-02-01 09:24:14 +01:00 · 33c7131be5
parent e01146559a
commit 33c7131be5
2 changed files with 24 additions and 1 deletions
--- a/server/lib/oauth-model.ts
+++ b/server/lib/oauth-model.ts
@ -119,6 +119,8 @@ async function getUser (usernameOrEmail?: string, password?: string) {
      // This user does not belong to this plugin, skip it
      if (user.pluginAuth !== obj.pluginName) return null

+      checkUserValidityOrThrow(user)
+
      return user
    }
  }
@ -132,7 +134,7 @@ async function getUser (usernameOrEmail?: string, password?: string) {
  const passwordMatch = await user.isPasswordMatch(password)
  if (passwordMatch !== true) return null

-  if (user.blocked) throw new AccessDeniedError('User is blocked.')
+  checkUserValidityOrThrow(user)

  if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION && user.emailVerified === false) {
    throw new AccessDeniedError('User email is not verified.')
@ -238,3 +240,7 @@ async function createUserFromExternal (pluginAuth: string, options: {

  return user
 }
+
+function checkUserValidityOrThrow (user: MUser) {
+  if (user.blocked) throw new AccessDeniedError('User is blocked.')
+}
--- a/server/tests/external-plugins/auth-ldap.ts
+++ b/server/tests/external-plugins/auth-ldap.ts
@ -4,9 +4,11 @@ import 'mocha'
 import { expect } from 'chai'
 import { User } from '@shared/models/users/user.model'
 import {
+  blockUser,
  getMyUserInformation,
  installPlugin,
  setAccessTokensToServers,
+  unblockUser,
  uninstallPlugin,
  updatePluginSettings,
  uploadVideo,
@ -17,6 +19,7 @@ import { cleanupTests, flushAndRunServer, ServerInfo } from '../../../shared/ext
 describe('Official plugin auth-ldap', function () {
  let server: ServerInfo
  let accessToken: string
+  let userId: number

  before(async function () {
    this.timeout(30000)
@ -90,12 +93,26 @@ describe('Official plugin auth-ldap', function () {

    expect(body.username).to.equal('fry')
    expect(body.email).to.equal('fry@planetexpress.com')
+
+    userId = body.id
  })

  it('Should upload a video', async function () {
    await uploadVideo(server.url, accessToken, { name: 'my super video' })
  })

+  it('Should not be able to login if the user is banned', async function () {
+    await blockUser(server.url, userId, server.accessToken)
+
+    await userLogin(server, { username: 'fry@planetexpress.com', password: 'fry' }, 400)
+  })
+
+  it('Should be able to login if the user is unbanned', async function () {
+    await unblockUser(server.url, userId, server.accessToken)
+
+    await userLogin(server, { username: 'fry@planetexpress.com', password: 'fry' })
+  })
+
  it('Should not login if the plugin is uninstalled', async function () {
    await uninstallPlugin({ url: server.url, accessToken: server.accessToken, npmName: 'peertube-plugin-auth-ldap' })