Block suspended users from wiki session auth and login

2026-05-08 10:45:14 +02:00
parent 05a4d94459
commit c217674472
1 changed files with 7 additions and 2 deletions
@@ -191,6 +191,7 @@ class User:
    is_admin:        bool
    wiki_access:     bool
    activity_access: bool
+    suspended:       bool = False


@contextmanager
@@ -213,7 +214,7 @@ def _get_session_user(token: str) -> Optional[User]:
        with _db() as con:
            row = con.execute(
                "SELECT s.handle, s.expires_at, u.display_name, u.is_admin, "
-                "u.wiki_access, u.activity_access "
+                "u.wiki_access, u.activity_access, u.suspended "
                "FROM sessions s JOIN users u ON s.handle = u.handle "
                "WHERE s.token = ?",
                (token,),
@@ -228,6 +229,8 @@ def _get_session_user(token: str) -> Optional[User]:
        return None
    if not row["wiki_access"]:
        return None
+    if row["suspended"]:
+        return None
    return User(
        handle=row["handle"],
        display_name=row["display_name"],
@@ -306,7 +309,7 @@ async def login(body: LoginBody) -> JSONResponse:
        with _db() as con:
            row = con.execute(
                "SELECT handle, display_name, password_hash, is_admin, "
-                "wiki_access, activity_access FROM users WHERE handle = ?",
+                "wiki_access, activity_access, suspended FROM users WHERE handle = ?",
                (body.handle.strip().lower(),),
            ).fetchone()
    except HTTPException:
@@ -315,6 +318,8 @@ async def login(body: LoginBody) -> JSONResponse:
        raise HTTPException(401, "Credenziali non valide")
    if not row["wiki_access"]:
        raise HTTPException(403, "Accesso al wiki non autorizzato")
+    if row["suspended"]:
+        raise HTTPException(403, "Account sospeso")

    token = secrets.token_hex(32)
    expires = int(time.time()) + _SESSION_TTL