Disable valid permanent tokens if user is inactive.

This commit is contained in:
Martin Edenhofer 2016-07-28 14:43:31 +02:00
parent b4e841f4fc
commit cdb0b7cc16
2 changed files with 28 additions and 1 deletions

View file

@ -58,8 +58,13 @@ returns
return
end
user = token.user
# persistent token not valid if user is inative
return if token.persistent && user.active == false
# return token user
token.user
user
end
=begin

View file

@ -167,4 +167,26 @@ class ApiAuthControllerTest < ActionDispatch::IntegrationTest
end
test 'token auth - invalid user - admin' do
admin_token = Token.create(
action: 'api',
persistent: true,
user_id: @admin.id,
)
admin_credentials = "Token token=#{admin_token.name}"
@admin.active = false
@admin.save!
Setting.set('api_token_access', false)
get '/api/v1/settings', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
Setting.set('api_token_access', true)
get '/api/v1/settings', {}, @headers.merge('Authorization' => admin_credentials)
assert_response(401)
end
end