Ensures that in-active users are not allowed to login. (#618)
This commit is contained in:
parent
c7fdb2acd7
commit
2f5f82d797
@ -68,7 +68,7 @@ def create_token(user):
|
||||
|
||||
def login_required(f):
|
||||
"""
|
||||
Validates the JWT and ensures that is has not expired.
|
||||
Validates the JWT and ensures that is has not expired and the user is still active.
|
||||
|
||||
:param f:
|
||||
:return:
|
||||
@ -94,7 +94,12 @@ def login_required(f):
|
||||
except jwt.InvalidTokenError:
|
||||
return dict(message='Token is invalid'), 403
|
||||
|
||||
g.current_user = user_service.get(payload['sub'])
|
||||
user = user_service.get(payload['sub'])
|
||||
|
||||
if not user.active:
|
||||
return dict(message='User is not currently active'), 403
|
||||
|
||||
g.current_user = user
|
||||
|
||||
if not g.current_user:
|
||||
return dict(message='You are not logged in'), 403
|
||||
|
@ -93,7 +93,7 @@ class Login(Resource):
|
||||
else:
|
||||
user = user_service.get_by_username(args['username'])
|
||||
|
||||
if user and user.check_password(args['password']):
|
||||
if user and user.check_password(args['password']) and user.active:
|
||||
# Tell Flask-Principal the identity changed
|
||||
identity_changed.send(current_app._get_current_object(),
|
||||
identity=Identity(user.id))
|
||||
@ -194,6 +194,7 @@ class Ping(Resource):
|
||||
roles.append(role)
|
||||
|
||||
role = role_service.get_by_name(profile['email'])
|
||||
|
||||
if not role:
|
||||
role = role_service.create(profile['email'], description='This is a user specific role')
|
||||
roles.append(role)
|
||||
@ -231,9 +232,14 @@ class Ping(Resource):
|
||||
roles
|
||||
)
|
||||
|
||||
if not user.active:
|
||||
metrics.send('invalid_login', 'counter', 1)
|
||||
return dict(message='The supplied credentials are invalid'), 403
|
||||
|
||||
# Tell Flask-Principal the identity changed
|
||||
identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
|
||||
|
||||
metrics.send('successful_login', 'counter', 1)
|
||||
return dict(token=create_token(user))
|
||||
|
||||
|
||||
@ -272,10 +278,16 @@ class Google(Resource):
|
||||
|
||||
user = user_service.get_by_email(profile['email'])
|
||||
|
||||
if not user.active:
|
||||
metrics.send('invalid_login', 'counter', 1)
|
||||
return dict(message='The supplied credentials are invalid.'), 401
|
||||
|
||||
if user:
|
||||
metrics.send('successful_login', 'counter', 1)
|
||||
return dict(token=create_token(user))
|
||||
|
||||
metrics.send('invalid_login', 'counter', 1)
|
||||
|
||||
|
||||
class Providers(Resource):
|
||||
def get(self):
|
||||
|
9
lemur/static/app/angular/app.js
vendored
9
lemur/static/app/angular/app.js
vendored
@ -105,6 +105,15 @@
|
||||
RestangularConfigurer.setBaseUrl('http://localhost:8000/api/1');
|
||||
RestangularConfigurer.setDefaultHttpFields({withCredentials: true});
|
||||
|
||||
// handle situation where our token has become invalid.
|
||||
RestangularConfigurer.setErrorInterceptor(function (response) {
|
||||
if (response.status === 403) {
|
||||
$auth.logout();
|
||||
$location.path('/login');
|
||||
return false;
|
||||
}
|
||||
});
|
||||
|
||||
RestangularConfigurer.addResponseInterceptor(function (data, operation) {
|
||||
var extractedData;
|
||||
|
||||
|
@ -27,7 +27,7 @@
|
||||
<td data-title="'Active'" sortable="'active'">
|
||||
<i class="glyphicon glyphicon-ok" ng-show="certificate.san == 'true'"></i>
|
||||
<i class="glyphicon glyphicon-remove" ng-show="certificate.san == 'false'"></i>
|
||||
<i ng-show="user.active" class="glyphicon glyphicon-ok"></i><i ng-show="!user.active" class="glyphicon gplyphinco-remove"></i>
|
||||
<i ng-show="user.active" class="glyphicon glyphicon-ok"></i><i ng-show="!user.active" class="glyphicon glyphicon-remove"></i>
|
||||
</td>
|
||||
<td data-title="''">
|
||||
<div class="btn-group-vertical pull-right">
|
||||
|
Loading…
Reference in New Issue
Block a user