FIX: deactivated users shouldn't be able to log in

2014-04-28 13:46:28 -04:00 · 2014-04-28 13:46:28 -04:00 · 1da59e7e2e
parent 9fba385172
commit 1da59e7e2e
5 changed files with 20 additions and 4 deletions
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -57,7 +57,7 @@ class Admin::UsersController < Admin::AdminController
  end

  def refresh_browsers
-    MessageBus.publish "/file-change", ["refresh"], user_ids: [@user.id]
+    refresh_browser @user
    render nothing: true
  end

@ -131,6 +131,7 @@ class Admin::UsersController < Admin::AdminController
  def deactivate
    guardian.ensure_can_deactivate!(@user)
    @user.deactivate
+    refresh_browser @user
    render nothing: true
  end

@ -182,4 +183,8 @@ class Admin::UsersController < Admin::AdminController
      @user = User.where(id: params[:user_id]).first
    end

+    def refresh_browser(user)
+      MessageBus.publish "/file-change", ["refresh"], user_ids: [user.id]
+    end
+
 end
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -82,7 +82,7 @@ class SessionController < ApplicationController
      return
    end

-    user.email_confirmed? ? login(user) : not_activated(user)
+    (user.active && user.email_confirmed?) ? login(user) : not_activated(user)
  end

  def forgot_password
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -27,7 +27,7 @@ class Auth::DefaultCurrentUserProvider
      current_user = User.where(auth_token: auth_token).first
    end

-    if current_user && current_user.suspended?
+    if current_user && (current_user.suspended? || !current_user.active)
      current_user = nil
    end

--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -134,7 +134,10 @@ class Guardian
  def can_approve?(target)
    is_staff? && target && not(target.approved?)
  end
-  alias :can_activate? :can_approve?
+
+  def can_activate?(target)
+    is_staff? && target && not(target.active?)
+  end

  def can_suspend?(user)
    user && is_staff? && user.regular?
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@ -195,6 +195,14 @@ describe SessionController do
        end
      end

+      describe 'deactivated user' do
+        it 'should return an error' do
+          User.any_instance.stubs(:active).returns(false)
+          xhr :post, :create, login: user.username, password: 'myawesomepassword'
+          expect(JSON.parse(response.body)['error']).to eq(I18n.t('login.not_activated'))
+        end
+      end
+
      describe 'success by username' do
        it 'logs in correctly' do
          xhr :post, :create, login: user.username, password: 'myawesomepassword'