Make sure users can't login from launchpad if they're deactivated
Just in case the SignalId::User deletion failed.
This commit is contained in:
@@ -7,7 +7,8 @@ class Sessions::LaunchpadController < ApplicationController
|
||||
end
|
||||
|
||||
def update
|
||||
if user = Current.account.signal_account.authenticate(sig: @sig).try(:peer)
|
||||
user = Current.account.signal_account.authenticate(sig: @sig).try(:peer)
|
||||
if user.present? && user.active?
|
||||
start_new_session_for user
|
||||
redirect_to after_authentication_url
|
||||
else
|
||||
|
||||
+1
-1
@@ -23,7 +23,7 @@ class User < ApplicationRecord
|
||||
def deactivate
|
||||
sessions.delete_all
|
||||
accesses.destroy_all
|
||||
signal_user.destroy
|
||||
SignalId::Database.on_master { signal_user&.destroy }
|
||||
update! active: false, email_address: deactived_email_address
|
||||
end
|
||||
|
||||
|
||||
@@ -21,9 +21,16 @@ class Sessions::LaunchpadControllerTest < ActionDispatch::IntegrationTest
|
||||
assert parsed_cookies.signed[:session_token]
|
||||
end
|
||||
|
||||
test "returns 401 when the sig is invalid" do
|
||||
test "create checks user.active?" do
|
||||
user = users(:david)
|
||||
user.update! active: false
|
||||
|
||||
put session_launchpad_path(params: { sig: user.signal_user.perishable_signature })
|
||||
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
test "returns 401 when the sig is invalid" do
|
||||
put session_launchpad_path(params: { sig: "invalid" })
|
||||
|
||||
assert_response :unauthorized
|
||||
|
||||
Reference in New Issue
Block a user