Fix suspended users being able to access APIs that don't require a user (#18524)

9f81b9f2 · Eugen Rochko · GitHub · 96129c2f · 9f81b9f2 · 9f81b9f2
Unverified Commit 9f81b9f2 authored 2 years ago by Eugen Rochko Committed by GitHub 2 years ago
--- a/app/controllers/activitypub/base_controller.rb
+++ b/app/controllers/activitypub/base_controller.rb
@@ -2,6 +2,7 @@

 class ActivityPub::BaseController < Api::BaseController
  skip_before_action :require_authenticated_user!
+  skip_before_action :require_not_suspended!
  skip_around_action :set_locale

  private

--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
  skip_before_action :require_functional!, unless: :whitelist_mode?

  before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
+  before_action :require_not_suspended!
  before_action :set_cache_headers

  protect_from_forgery with: :null_session
@@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
    render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
  end

+  def require_not_suspended!
+    render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
+  end
+
  def require_user!
    if !current_user
      render json: { error: 'This method requires an authenticated user' }, status: 422