about summary refs log tree commit diff
path: root/app/controllers
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2022-05-26 22:04:05 +0200
committerGitHub <noreply@github.com>2022-05-26 22:04:05 +0200
commit9f81b9f29a14093cefcdbf09058ace089cd8e06b (patch)
tree0e2b0528375b2fd01b0fdf05da775596173f59f3 /app/controllers
parent96129c2f10a82520648f6ae04e585cf797403617 (diff)
Fix suspended users being able to access APIs that don't require a user (#18524)
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/activitypub/base_controller.rb1
-rw-r--r--app/controllers/api/base_controller.rb5
2 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/activitypub/base_controller.rb b/app/controllers/activitypub/base_controller.rb
index 196d85a32..b8a7e0ab9 100644
--- a/app/controllers/activitypub/base_controller.rb
+++ b/app/controllers/activitypub/base_controller.rb
@@ -2,6 +2,7 @@
 
 class ActivityPub::BaseController < Api::BaseController
   skip_before_action :require_authenticated_user!
+  skip_before_action :require_not_suspended!
   skip_around_action :set_locale
 
   private
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index d96285b44..2e393fbb6 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
   skip_before_action :require_functional!, unless: :whitelist_mode?
 
   before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
+  before_action :require_not_suspended!
   before_action :set_cache_headers
 
   protect_from_forgery with: :null_session
@@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
     render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
   end
 
+  def require_not_suspended!
+    render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
+  end
+
   def require_user!
     if !current_user
       render json: { error: 'This method requires an authenticated user' }, status: 422