Return 403 on oauth token exchange for a deactivated user

2019-04-06 00:22:42 +03:00 · 2019-04-06 00:22:42 +03:00 · 7aa53d52bd
commit 7aa53d52bd
parent e3ca9f708f
2 changed files with 32 additions and 0 deletions
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -152,6 +152,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    with {_, {:ok, %User{} = user}} <- {:get_user, Authenticator.get_user(conn)},
         %App{} = app <- get_app_from_request(conn, params),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
+         {:user_active, true} <- {:user_active, !user.info.deactivated},
         scopes <- oauth_scopes(params, app.scopes),
         [] <- scopes -- app.scopes,
         true <- Enum.any?(scopes),
@ -175,6 +176,11 @@ defmodule Pleroma.Web.OAuth.OAuthController do
        |> put_status(:forbidden)
        |> json(%{error: "Your login is missing a confirmed e-mail address"})

+      {:user_active, false} ->
+        conn
+        |> put_status(:forbidden)
+        |> json(%{error: "Your account is currently disabled"})
+
      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})