diff options
| author | Hannah Ward <hannah.ward01@bbc.co.uk> | 2020-04-27 17:03:07 +0100 |
|---|---|---|
| committer | Hannah Ward <hannah.ward01@bbc.co.uk> | 2020-04-27 17:03:07 +0100 |
| commit | fd04237ad899e966c5ac2a21ce9cf8bf4d39ca34 (patch) | |
| tree | 4894dfd5cf0c32736f9ff2d4bee7b777f4fa2731 | |
| parent | 01cc93b6873b5c50c0fc54774a3b004bf660e46b (diff) | |
Do not allow deactivated auth to pass mongooseim checksmongoose-im-deactivated-users
| -rw-r--r-- | lib/pleroma/web/mongooseim/mongoose_im_controller.ex | 2 | ||||
| -rw-r--r-- | test/web/mongooseim/mongoose_im_controller_test.exs | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex index 04d823b36..ee24a61c0 100644 --- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex +++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex @@ -27,7 +27,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do def check_password(conn, %{"user" => username, "pass" => password}) do with %User{password_hash: password_hash} <- - Repo.get_by(User, nickname: username, local: true), + Repo.get_by(User, nickname: username, local: true, deactivated: false), true <- Pbkdf2.checkpw(password, password_hash) do conn |> json(true) diff --git a/test/web/mongooseim/mongoose_im_controller_test.exs b/test/web/mongooseim/mongoose_im_controller_test.exs index 291ae54fc..319c5f2f8 100644 --- a/test/web/mongooseim/mongoose_im_controller_test.exs +++ b/test/web/mongooseim/mongoose_im_controller_test.exs @@ -9,6 +9,7 @@ defmodule Pleroma.Web.MongooseIMController do test "/user_exists", %{conn: conn} do _user = insert(:user, nickname: "lain") _remote_user = insert(:user, nickname: "alice", local: false) + _deactivated_user = insert(:user, nickname: "meanie", deactivated: true) res = conn @@ -30,11 +31,21 @@ defmodule Pleroma.Web.MongooseIMController do |> json_response(404) assert res == false + + res = + conn + |> get(mongoose_im_path(conn, :user_exists), user: "meanie") + |> json_response(404) + + assert res == false end test "/check_password", %{conn: conn} do user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool")) + deactivated_user = + insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"), deactivated: true) + res = conn |> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool") @@ -55,5 +66,15 @@ defmodule Pleroma.Web.MongooseIMController do |> json_response(404) assert res == false + + res = + conn + |> get(mongoose_im_path(conn, :check_password), + user: deactivated_user.nickname, + pass: "cool" + ) + |> json_response(404) + + assert res == false end end |