search

numerique-gouv / people

Teams management application
MIT License
13 stars 1 forks source link

Disabled user should not be allowed to login (and create a new duplicated user) #455

Closed qbey closed 1 month ago

qbey commented 1 month ago

Bug Report

Problematic behavior If a user is marked as is_active=False and login again, it will create another user with the same sub. The same behavior applies for the email fallback behavior.

Expected behavior/code When a user is marked as is_active=False and logs in, we should get the User object even if "disabled" then after, check the is_active to allow login or not.

def get_or_create_user(self, access_token, id_token, payload):
    # ...

    # if sub is absent, try matching on email
        user = self.get_existing_user(sub, email)

        if not user.is_active:
            raise SuspiciousOperation(_("User %s is disabled" % sub))

    # ...

def get_existing_user(self, sub, email):
         """Fetch existing user by sub or email."""
         try:
             return User.objects.get(sub=sub)
        except User.DoesNotExist:
             if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                 try:
                     return User.objects.get(email=email)
                 except User.DoesNotExist:
                     pass
         return None

Steps to Reproduce

  1. Login with an active user
  2. Disable the user in admin (is_active=False)
  3. Login again with the user
  4. You are logged in with a new user (with a duplicated sub)

Environment

Possible Solution N/A

Additional context/Screenshots N/A