← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #26637

[Merge] ~cjwatson/launchpad/+git/security:inactive-oauth into launchpad:master

  Thread PreviousDate PreviousThread Next 
Colin Watson has proposed merging ~cjwatson/launchpad/+git/security:inactive-oauth into launchpad:master.

Commit message:
Refuse OAuth tokens from inactive accounts

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/security/+merge/399601
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad/+git/security:inactive-oauth into launchpad:master.

diff --git a/lib/lp/services/webapp/doc/webapp-publication.txt b/lib/lp/services/webapp/doc/webapp-publication.txt
index 1cd19c2..a4b4e41 100644
--- a/lib/lp/services/webapp/doc/webapp-publication.txt
+++ b/lib/lp/services/webapp/doc/webapp-publication.txt
@@ -1211,6 +1211,21 @@ correct.
     ...
     lp.services.oauth.interfaces.TokenException: Invalid signature.
 
+The user's account must be active.
+
+    >>> from lp.services.identity.interfaces.account import AccountStatus
+
+    >>> login('foo.bar@xxxxxxxxxxxxx')
+    >>> salgado.setAccountStatus(AccountStatus.SUSPENDED, None, 'Bye')
+
+    >>> login('salgado@xxxxxxxxxx')
+    >>> test_request = LaunchpadTestRequest(form=form)
+    >>> publication.getPrincipal(test_request)
+    ... # doctest: +IGNORE_EXCEPTION_MODULE_IN_PYTHON2
+    Traceback (most recent call last):
+    ...
+    lp.services.oauth.interfaces.TokenException: Inactive account.
+
 Close the bogus request that was started by the call to
 beforeTraversal, in order to ensure we leave our state sane.
 Also, pop all the database policies we have been accumulating.
diff --git a/lib/lp/services/webapp/servers.py b/lib/lp/services/webapp/servers.py
index 458d0e2..fb05ab1 100644
--- a/lib/lp/services/webapp/servers.py
+++ b/lib/lp/services/webapp/servers.py
@@ -71,6 +71,7 @@ from lp.services.features import get_relevant_feature_controller
 from lp.services.features.flags import NullFeatureController
 from lp.services.feeds.interfaces.application import IFeedsApplication
 from lp.services.feeds.interfaces.feed import IFeed
+from lp.services.identity.interfaces.account import AccountStatus
 from lp.services.oauth.interfaces import (
     IOAuthConsumerSet,
     IOAuthSignedRequest,
@@ -1349,6 +1350,8 @@ class WebServicePublication(WebServicePublicationMixin,
             raise TokenException('Expired token (%s).' % token.key)
         elif not check_oauth_signature(request, consumer, token):
             raise TokenException('Invalid signature.')
+        elif token.person.account_status != AccountStatus.ACTIVE:
+            raise TokenException('Inactive account.')
         else:
             # Everything is fine, let's return the principal.
             pass

Follow ups

  Thread PreviousDate PreviousThread Next