Merge branch 'fix/deactivated-user-error' into 'develop'

Return 403 for deactivated user on token request Closes #785 See merge request pleroma/pleroma!1031
2019-04-06 22:19:30 +00:00 · 2019-04-06 22:19:30 +00:00 · fb2040d061
commit fb2040d061
parent 876965a7e7 7aa53d52bd
2 changed files with 32 additions and 0 deletions
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -152,6 +152,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    with {_, {:ok, %User{} = user}} <- {:get_user, Authenticator.get_user(conn)},
         %App{} = app <- get_app_from_request(conn, params),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
+         {:user_active, true} <- {:user_active, !user.info.deactivated},
         scopes <- oauth_scopes(params, app.scopes),
         [] <- scopes -- app.scopes,
         true <- Enum.any?(scopes),
@ -175,6 +176,11 @@ defmodule Pleroma.Web.OAuth.OAuthController do
        |> put_status(:forbidden)
        |> json(%{error: "Your login is missing a confirmed e-mail address"})

+      {:user_active, false} ->
+        conn
+        |> put_status(:forbidden)
+        |> json(%{error: "Your account is currently disabled"})
+
      _error ->
        put_status(conn, 400)
        |> json(%{error: "Invalid credentials"})