Merge pull request #781 from appwrite/bug-777-blocked-users-can-create-sessions

Bug 777 blocked users can create sessions
2024-06-29 19:50:26 +12:00 · 2020-12-28 10:44:19 +02:00 · 2020-12-28 10:44:19 +02:00 · d69985b57c
parent dffa5f7fad 5caaa227d0
commit d69985b57c
2 changed files with 91 additions and 0 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -179,6 +179,10 @@ App::post('/v1/account/sessions')
            throw new Exception('Invalid credentials', 401); // Wrong password or username
        }

+        if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked
+            throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
+        }
+
        $dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));

        $dd->parse();
@ -524,6 +528,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
            }
        }

+        if (Auth::USER_STATUS_BLOCKED == $user->getAttribute('status')) { // Account is blocked
+            throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
+        }
+
        // Create session token, verify user account and update OAuth2 ID and Access Token

        $dd = new DeviceDetector($request->getUserAgent('UNKNOWN'));
@ -1263,6 +1271,10 @@ App::post('/v1/account/recovery')
            throw new Exception('User not found', 404); // TODO maybe hide this
        }

+        if (Auth::USER_STATUS_BLOCKED == $profile->getAttribute('status')) { // Account is blocked
+            throw new Exception('Invalid credentials. User is blocked', 401); // User is in status blocked
+        }
+
        $secret = Auth::tokenGenerator();
        $recovery = new Document([
            '$collection' => Database::SYSTEM_COLLECTION_TOKENS,
--- a/tests/e2e/Services/Account/AccountCustomClientTest.php
+++ b/tests/e2e/Services/Account/AccountCustomClientTest.php
@ -49,4 +49,83 @@ class AccountCustomClientTest extends Scope

        return [];
    }
+
+    public function testBlockedAccount():array
+    {
+        $email = uniqid().'user@localhost.test';
+        $password = 'password';
+        $name = 'User Name (blocked)';
+
+        /**
+         * Test for SUCCESS
+         */
+        $response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ]), [
+            'email' => $email,
+            'password' => $password,
+            'name' => $name,
+        ]);
+
+        $id = $response['body']['$id'];
+
+        $this->assertEquals($response['headers']['status-code'], 201);
+    
+        $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ]), [
+            'email' => $email,
+            'password' => $password,
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 201);
+
+        $sessionId = $response['body']['$id'];
+        $session = $this->client->parseCookie((string)$response['headers']['set-cookie'])['a_session_'.$this->getProject()['$id']];
+
+        $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]));
+
+        $this->assertEquals($response['headers']['status-code'], 200);
+
+        $response = $this->client->call(Client::METHOD_PATCH, '/users/' . $id . '/status', [
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'x-appwrite-key' => $this->getProject()['apiKey'],
+        ], [
+            'status' => 2,
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 200);
+
+        $response = $this->client->call(Client::METHOD_GET, '/account', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'cookie' => 'a_session_'.$this->getProject()['$id'].'=' . $session,
+        ]));
+
+        $this->assertEquals($response['headers']['status-code'], 401);
+
+        $response = $this->client->call(Client::METHOD_POST, '/account/sessions', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ]), [
+            'email' => $email,
+            'password' => $password,
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 401);
+
+        return [];
+    }
 }