Disable valid permanent tokens if user is inactive.

2016-07-28 14:43:31 +02:00 · 2016-07-28 14:43:31 +02:00 · cdb0b7cc16
commit cdb0b7cc16
parent b4e841f4fc
2 changed files with 28 additions and 1 deletions
--- a/app/models/token.rb
+++ b/app/models/token.rb
@ -58,8 +58,13 @@ returns
      return
    end

+    user = token.user
+
+    # persistent token not valid if user is inative
+    return if token.persistent && user.active == false
+
    # return token user
-    token.user
+    user
  end

 =begin
--- a/test/controllers/api_auth_controller_test.rb
+++ b/test/controllers/api_auth_controller_test.rb
@ -167,4 +167,26 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest

  end

+  test 'token auth - invalid user - admin' do
+
+    admin_token = Token.create(
+      action:     'api',
+      persistent: true,
+      user_id:    @admin.id,
+    )
+    admin_credentials = "Token token=#{admin_token.name}"
+
+    @admin.active = false
+    @admin.save!
+
+    Setting.set('api_token_access', false)
+    get '/api/v1/settings', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(401)
+
+    Setting.set('api_token_access', true)
+    get '/api/v1/settings', {}, @headers.merge('Authorization' => admin_credentials)
+    assert_response(401)
+
+  end
+
 end