SECURITY: do not send push notifications to suspended users

app/services/post_alerter.rb

@@ -373,7 +373,7 @@ class PostAlerter
                               post_action_id: opts[:post_action_id],
                               data: notification_data.to_json)
 
-   if !existing_notification && NOTIFIABLE_TYPES.include?(type)
+   if !existing_notification && NOTIFIABLE_TYPES.include?(type) && !user.suspended?
      # we may have an invalid post somehow, dont blow up
      post_url = original_post.url rescue nil
      if post_url

spec/services/post_alerter_spec.rb

@@ -328,6 +328,26 @@ describe PostAlerter do
     let(:mention_post) { create_post_with_alerts(user: user, raw: 'Hello @eviltrout :heart:')}
     let(:topic) { mention_post.topic }
 
+    it "pushes nothing to suspended users" do
+
+      SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push"
+
+      evil_trout.update_columns(suspended_till: 1.year.from_now)
+
+      2.times do |i|
+        UserApiKey.create!(user_id: evil_trout.id,
+                           client_id: "xxx#{i}",
+                           key: "yyy#{i}",
+                           application_name: "iPhone#{i}",
+                           scopes: ['notifications'],
+                           push_url: "https://site2.com/push")
+      end
+
+      # should only happen once even though we are using 2 keys
+      RestClient.expects(:post).never
+      mention_post
+    end
+
     it "correctly pushes notifications if configured correctly" do
       SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push"