FIX: Do not update `last seen` time for suspended users

2018-07-18 16:04:57 +01:00 · 2018-07-18 16:04:57 +01:00 · 2dc3a50dac
parent f55ac892e4
commit 2dc3a50dac
2 changed files with 41 additions and 8 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -75,14 +75,6 @@ class Auth::DefaultCurrentUserProvider
      @env[BAD_TOKEN] = true
    end

-    if current_user && should_update_last_seen?
-      u = current_user
-      Scheduler::Defer.later "Updating Last Seen" do
-        u.update_last_seen!
-        u.update_ip_address!(request.ip)
-      end
-    end
-
    # possible we have an api call, impersonate
    if api_key
      current_user = lookup_api_user(api_key, request)
@ -127,6 +119,14 @@ class Auth::DefaultCurrentUserProvider
      current_user = nil
    end

+    if current_user && should_update_last_seen?
+      u = current_user
+      Scheduler::Defer.later "Updating Last Seen" do
+        u.update_last_seen!
+        u.update_ip_address!(request.ip)
+      end
+    end
+
    @env[CURRENT_USER_KEY] = current_user
  end

--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -156,6 +156,39 @@ describe Auth::DefaultCurrentUserProvider do
          ).should_update_last_seen?).to eq(false)
  end

+  it "should not update last seen for suspended users" do
+    user = Fabricate(:user)
+    provider = provider('/')
+    cookies = {}
+    provider.log_on_user(user, {}, cookies)
+    unhashed_token = cookies["_t"][:value]
+
+    freeze_time
+    Sidekiq::Testing.inline! do
+      # Need to clear this key from redis, otherwise
+      # this test could fail if run twice in 1 minute
+      $redis.del("user:#{user.id}:#{Time.now.to_date}")
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
+      u = provider2.current_user
+      u.reload
+      expect(u.last_seen_at).to eq(Time.now)
+
+      freeze_time 20.minutes.from_now
+
+      u.last_seen_at = nil
+      u.suspended_till = 1.year.from_now
+      u.save!
+
+      $redis.del("user:#{user.id}:#{Time.now.to_date}")
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
+      expect(provider2.current_user).to eq(nil)
+
+      u.reload
+      expect(u.last_seen_at).to eq(nil)
+    end
+
+  end
+
  it "should update ajax reqs with discourse visible" do
    expect(provider("/topic/anything/goes",
                    :method => "POST",