Consolidate logic to check for deactivated users. (#15634)
This moves the deactivated user check to the method which
all login types call.
Additionally updates the application service tests to be more
realistic by removing invalid tests and fixing server names.
1 files changed, 5 insertions, 9 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 59e340974d..d001f2fb2f 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -52,7 +52,6 @@ from synapse.api.errors import (
NotFoundError,
StoreError,
SynapseError,
- UserDeactivatedError,
)
from synapse.api.ratelimiting import Ratelimiter
from synapse.handlers.ui_auth import (
@@ -1419,12 +1418,6 @@ class AuthHandler:
return None
(user_id, password_hash) = lookupres
- # If the password hash is None, the account has likely been deactivated
- if not password_hash:
- deactivated = await self.store.get_user_deactivated_status(user_id)
- if deactivated:
- raise UserDeactivatedError("This account has been deactivated")
-
result = await self.validate_hash(password, password_hash)
if not result:
logger.warning("Failed password login for user %s", user_id)
@@ -1749,8 +1742,11 @@ class AuthHandler:
registered.
auth_provider_session_id: The session ID from the SSO IdP received during login.
"""
- # If the account has been deactivated, do not proceed with the login
- # flow.
+ # If the account has been deactivated, do not proceed with the login.
+ #
+ # This gets checked again when the token is submitted but this lets us
+ # provide an HTML error page to the user (instead of issuing a token and
+ # having it error later).
deactivated = await self.store.get_user_deactivated_status(registered_user_id)
if deactivated:
respond_with_html(request, 403, self._sso_account_deactivated_template)
|
