diff --git a/aurweb/routers/auth.py b/aurweb/routers/auth.py index fc5209ce..9f465388 100644 --- a/aurweb/routers/auth.py +++ b/aurweb/routers/auth.py @@ -46,13 +46,19 @@ async def login_post(request: Request, raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail=_("Bad Referer header.")) - user = db.query(User).filter( - or_(User.Username == user, User.Email == user) - ).first() + with db.begin(): + user = db.query(User).filter( + or_(User.Username == user, User.Email == user) + ).first() + if not user: return await login_template(request, next, errors=["Bad username or password."]) + if user.Suspended: + return await login_template(request, next, + errors=["Account Suspended"]) + cookie_timeout = cookies.timeout(remember_me) sid = user.login(request, passwd, cookie_timeout) if not sid: diff --git a/test/test_auth_routes.py b/test/test_auth_routes.py index 79b34b6b..8467adea 100644 --- a/test/test_auth_routes.py +++ b/test/test_auth_routes.py @@ -14,6 +14,7 @@ from aurweb.asgi import app from aurweb.models.account_type import USER_ID from aurweb.models.session import Session from aurweb.models.user import User +from aurweb.testing.html import get_errors # Some test global constants. TEST_USERNAME = "test" @@ -79,6 +80,21 @@ def test_login_logout(client: TestClient, user: User): assert "AURSID" not in response.cookies +def test_login_suspended(client: TestClient, user: User): + with db.begin(): + user.Suspended = 1 + + data = { + "user": user.Username, + "passwd": "testPassword", + "next": "/" + } + with client as request: + resp = request.post("/login", data=data) + errors = get_errors(resp.text) + assert errors[0].text.strip() == "Account Suspended" + + def test_login_email(client: TestClient, user: user): post_data = { "user": user.Email,