From 7b7cb0b5715319cd9b2732e723d1789ee24251fb Mon Sep 17 00:00:00 2001
From: Son <nguyenkims@users.noreply.github.com>
Date: Wed, 27 Apr 2022 16:24:38 +0200
Subject: [PATCH] prevent disabled user from using the api

---
 app/api/base.py         |  3 +++
 tests/api/test_alias.py | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/app/api/base.py b/app/api/base.py
index dc1c86af..70151d8e 100644
--- a/app/api/base.py
+++ b/app/api/base.py
@@ -30,6 +30,9 @@ def require_api_auth(f):
 
             g.user = api_key.user
 
+        if g.user.disabled:
+            return jsonify(error="Disabled account"), 403
+
         return f(*args, **kwargs)
 
     return decorated
diff --git a/tests/api/test_alias.py b/tests/api/test_alias.py
index 383b244d..27f17c56 100644
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@@ -612,3 +612,22 @@ def test_toggle_contact(flask_client):
 
     assert r.status_code == 200
     assert r.json == {"block_forward": True}
+
+
+def test_get_aliases_disabled_account(flask_client):
+    user, api_key = get_new_user_and_api_key()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 200
+
+    user.disabled = True
+    Session.commit()
+
+    r = flask_client.get(
+        "/api/v2/aliases?page_id=0",
+        headers={"Authentication": api_key.code},
+    )
+    assert r.status_code == 403