stages/user_login: add check for user.is_active and tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-10-04 18:37:05 +02:00
parent 418e491799
commit b5649bdcc4
2 changed files with 32 additions and 2 deletions

View file

@ -5,6 +5,7 @@ from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _
from structlog.stdlib import get_logger
from authentik.core.models import User
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.stage import StageView
from authentik.lib.utils.time import timedelta_from_string
@ -32,9 +33,12 @@ class UserLoginStageView(StageView):
backend = self.executor.plan.context.get(
PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
)
user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
if not user.is_active:
LOGGER.warning("User is not active, login will not work.")
login(
self.request,
self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
user,
backend=backend,
)
delta = timedelta_from_string(self.executor.current_stage.session_duration)
@ -45,7 +49,7 @@ class UserLoginStageView(StageView):
LOGGER.debug(
"Logged in",
backend=backend,
user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
user=user,
flow_slug=self.executor.flow.slug,
session_duration=self.executor.current_stage.session_duration,
)

View file

@ -109,3 +109,29 @@ class TestUserLoginStage(APITestCase):
},
},
)
def test_inactive_account(self):
"""Test with a valid pending user and backend"""
self.user.is_active = False
self.user.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
session = self.client.session
session[SESSION_KEY_PLAN] = plan
session.save()
response = self.client.get(
reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
)
self.assertEqual(response.status_code, 200)
self.assertJSONEqual(
force_str(response.content),
{
"component": "xak-flow-redirect",
"to": reverse("authentik_core:root-redirect"),
"type": ChallengeTypes.REDIRECT.value,
},
)
response = self.client.get(reverse("authentik_api:application-list"))
self.assertEqual(response.status_code, 403)