Ensures that in-active users are not allowed to login. (#618)

2016-12-19 22:58:57 -08:00
parent c7fdb2acd7
commit 2f5f82d797
4 changed files with 30 additions and 4 deletions
--- a/lemur/auth/service.py
+++ b/lemur/auth/service.py
@ -68,7 +68,7 @@ def create_token(user):

 def login_required(f):
    """
-    Validates the JWT and ensures that is has not expired.
+    Validates the JWT and ensures that is has not expired and the user is still active.

    :param f:
    :return:
@ -94,7 +94,12 @@ def login_required(f):
        except jwt.InvalidTokenError:
            return dict(message='Token is invalid'), 403

-        g.current_user = user_service.get(payload['sub'])
+        user = user_service.get(payload['sub'])
+
+        if not user.active:
+            return dict(message='User is not currently active'), 403
+
+        g.current_user = user

        if not g.current_user:
            return dict(message='You are not logged in'), 403
--- a/lemur/auth/views.py
+++ b/lemur/auth/views.py
@ -93,7 +93,7 @@ class Login(Resource):
        else:
            user = user_service.get_by_username(args['username'])

-        if user and user.check_password(args['password']):
+        if user and user.check_password(args['password']) and user.active:
            # Tell Flask-Principal the identity changed
            identity_changed.send(current_app._get_current_object(),
                                  identity=Identity(user.id))
@ -194,6 +194,7 @@ class Ping(Resource):
            roles.append(role)

        role = role_service.get_by_name(profile['email'])
+
        if not role:
            role = role_service.create(profile['email'], description='This is a user specific role')
        roles.append(role)
@ -231,9 +232,14 @@ class Ping(Resource):
                roles
            )

+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid'), 403
+
        # Tell Flask-Principal the identity changed
        identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))

+        metrics.send('successful_login', 'counter', 1)
        return dict(token=create_token(user))


@ -272,10 +278,16 @@ class Google(Resource):

        user = user_service.get_by_email(profile['email'])

+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid.'), 401
+
        if user:
            metrics.send('successful_login', 'counter', 1)
            return dict(token=create_token(user))

+        metrics.send('invalid_login', 'counter', 1)
+

 class Providers(Resource):
    def get(self):