From 2dc3a50dacb2aa699b0c68c9abf8fcc5436dc81b Mon Sep 17 00:00:00 2001 From: David Taylor Date: Wed, 18 Jul 2018 16:04:57 +0100 Subject: [PATCH] FIX: Do not update `last seen` time for suspended users --- lib/auth/default_current_user_provider.rb | 16 ++++----- .../default_current_user_provider_spec.rb | 33 +++++++++++++++++++ 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb index 4d7521046c8..e34ce1c0683 100644 --- a/lib/auth/default_current_user_provider.rb +++ b/lib/auth/default_current_user_provider.rb @@ -75,14 +75,6 @@ class Auth::DefaultCurrentUserProvider @env[BAD_TOKEN] = true end - if current_user && should_update_last_seen? - u = current_user - Scheduler::Defer.later "Updating Last Seen" do - u.update_last_seen! - u.update_ip_address!(request.ip) - end - end - # possible we have an api call, impersonate if api_key current_user = lookup_api_user(api_key, request) @@ -127,6 +119,14 @@ class Auth::DefaultCurrentUserProvider current_user = nil end + if current_user && should_update_last_seen? + u = current_user + Scheduler::Defer.later "Updating Last Seen" do + u.update_last_seen! + u.update_ip_address!(request.ip) + end + end + @env[CURRENT_USER_KEY] = current_user end diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb index 75a76ef27a1..b3a3d7a54eb 100644 --- a/spec/components/auth/default_current_user_provider_spec.rb +++ b/spec/components/auth/default_current_user_provider_spec.rb @@ -156,6 +156,39 @@ describe Auth::DefaultCurrentUserProvider do ).should_update_last_seen?).to eq(false) end + it "should not update last seen for suspended users" do + user = Fabricate(:user) + provider = provider('/') + cookies = {} + provider.log_on_user(user, {}, cookies) + unhashed_token = cookies["_t"][:value] + + freeze_time + Sidekiq::Testing.inline! do + # Need to clear this key from redis, otherwise + # this test could fail if run twice in 1 minute + $redis.del("user:#{user.id}:#{Time.now.to_date}") + provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}") + u = provider2.current_user + u.reload + expect(u.last_seen_at).to eq(Time.now) + + freeze_time 20.minutes.from_now + + u.last_seen_at = nil + u.suspended_till = 1.year.from_now + u.save! + + $redis.del("user:#{user.id}:#{Time.now.to_date}") + provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}") + expect(provider2.current_user).to eq(nil) + + u.reload + expect(u.last_seen_at).to eq(nil) + end + + end + it "should update ajax reqs with discourse visible" do expect(provider("/topic/anything/goes", :method => "POST",