Use backend to enforce frozen accounts

2021-06-15 16:52:50 +02:00 · 2021-06-15 16:52:50 +02:00 · a34b83c236
commit a34b83c236
parent 02584982f6
3 changed files with 45 additions and 12 deletions
--- a/gestioasso/settings/cof_prod.py
+++ b/gestioasso/settings/cof_prod.py
@ -111,11 +111,17 @@ CORS_ORIGIN_WHITELIST = ("bda.ens.fr", "www.bda.ens.fr" "cof.ens.fr", "www.cof.e
 # Auth-related stuff
 # ---

-AUTHENTICATION_BACKENDS += [
-    "gestioncof.shared.COFCASBackend",
-    "kfet.auth.backends.GenericBackend",
-]
-
+AUTHENTICATION_BACKENDS = (
+    [
+        # Must be in first
+        "kfet.auth.backends.BlockFrozenAccountBackend"
+    ]
+    + AUTHENTICATION_BACKENDS
+    + [
+        "gestioncof.shared.COFCASBackend",
+        "kfet.auth.backends.GenericBackend",
+    ]
+)
 LOGIN_URL = "cof-login"
 LOGIN_REDIRECT_URL = "home"

--- a/kfet/auth/backends.py
+++ b/kfet/auth/backends.py
@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.core.exceptions import PermissionDenied

 from kfet.models import Account, GenericTeamToken

@ -37,3 +38,36 @@ class GenericBackend(BaseKFetBackend):
        team_token.delete()

        return get_kfet_generic_user()
+
+
+class BlockFrozenAccountBackend:
+    def authenticate(self, request, **kwargs):
+        return None
+
+    def get_user(self, user_id):
+        return None
+
+    def has_perm(self, user_obj, perm, obj=None):
+        app_label, _ = perm.split(".")
+        if app_label == "kfet":
+            if (
+                hasattr(user_obj, "profile")
+                and hasattr(user_obj.profile, "account_kfet")
+                and user_obj.profile.account_kfet.is_frozen
+            ):
+                raise PermissionDenied
+
+        # Dans le cas général, on se réfère aux autres backends
+        return False
+
+    def has_module_perms(self, user_obj, app_label):
+        if app_label == "kfet":
+            if (
+                hasattr(user_obj, "profile")
+                and hasattr(user_obj.profile, "account_kfet")
+                and user_obj.profile.account_kfet.is_frozen
+            ):
+                raise PermissionDenied
+
+        # Dans le cas général, on se réfère aux autres backends
+        return False
--- a/kfet/decorators.py
+++ b/kfet/decorators.py
@ -2,13 +2,6 @@ from django.contrib.auth.decorators import user_passes_test


 def kfet_is_team(user):
-    if (
-        hasattr(user, "profile")
-        and hasattr(user.profile, "account_kfet")
-        and user.profile.account_kfet.is_frozen
-    ):
-        return False
-
    return user.has_perm("kfet.is_team")