From 4748dedd29726b9dfc8f331f76a97860ddf466ee Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Fri, 16 Feb 2024 14:58:38 +0000
Subject: [PATCH] fix: blocked users from accessing console

---
 app/controllers/general.php | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/app/controllers/general.php b/app/controllers/general.php
index 9385fac435..e2ecde97e0 100644
--- a/app/controllers/general.php
+++ b/app/controllers/general.php
@@ -563,25 +563,27 @@ App::init()
             throw new AppwriteException(AppwriteException::GENERAL_UNAUTHORIZED_SCOPE, $user->getAttribute('email', 'User') . ' (role: ' . \strtolower($roles[$role]['label']) . ') missing scope (' . $scope . ')');
         }
 
-        if (false === $user->getAttribute('status')) { // Account is blocked
-            throw new AppwriteException(AppwriteException::USER_BLOCKED);
-        }
+        if (in_array('api', $route->getGroups())) {
+            if (false === $user->getAttribute('status')) { // Account is blocked
+                throw new AppwriteException(AppwriteException::USER_BLOCKED);
+            }
 
-        if ($user->getAttribute('reset')) {
-            throw new AppwriteException(AppwriteException::USER_PASSWORD_RESET_REQUIRED);
-        }
+            if ($user->getAttribute('reset')) {
+                throw new AppwriteException(AppwriteException::USER_PASSWORD_RESET_REQUIRED);
+            }
 
-        if ($mode !== APP_MODE_ADMIN) {
-            $mfaEnabled = $user->getAttribute('mfa', false);
-            $hasVerifiedAuthenticator = $user->getAttribute('totpVerification', false);
-            $hasVerifiedEmail = $user->getAttribute('emailVerification', false);
-            $hasVerifiedPhone = $user->getAttribute('phoneVerification', false);
-            $hasMoreFactors = $hasVerifiedEmail || $hasVerifiedPhone || $hasVerifiedAuthenticator;
-            $minimumFactors = ($mfaEnabled && $hasMoreFactors) ? 2 : 1;
+            if ($mode !== APP_MODE_ADMIN) {
+                $mfaEnabled = $user->getAttribute('mfa', false);
+                $hasVerifiedAuthenticator = $user->getAttribute('totpVerification', false);
+                $hasVerifiedEmail = $user->getAttribute('emailVerification', false);
+                $hasVerifiedPhone = $user->getAttribute('phoneVerification', false);
+                $hasMoreFactors = $hasVerifiedEmail || $hasVerifiedPhone || $hasVerifiedAuthenticator;
+                $minimumFactors = ($mfaEnabled && $hasMoreFactors) ? 2 : 1;
 
-            if (!in_array('mfa', $route->getGroups())) {
-                if ($session && \count($session->getAttribute('factors')) < $minimumFactors) {
-                    throw new AppwriteException(AppwriteException::USER_MORE_FACTORS_REQUIRED);
+                if (!in_array('mfa', $route->getGroups())) {
+                    if ($session && \count($session->getAttribute('factors')) < $minimumFactors) {
+                        throw new AppwriteException(AppwriteException::USER_MORE_FACTORS_REQUIRED);
+                    }
                 }
             }
         }