From a34b83c23671d9ed0271c941cb6ac524782ad698 Mon Sep 17 00:00:00 2001
From: Ludovic Stephan <ludovic.stephan@ens.fr>
Date: Tue, 15 Jun 2021 16:52:50 +0200
Subject: [PATCH] Use backend to enforce frozen accounts

---
 gestioasso/settings/cof_prod.py | 16 +++++++++++-----
 kfet/auth/backends.py           | 34 +++++++++++++++++++++++++++++++++
 kfet/decorators.py              |  7 -------
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/gestioasso/settings/cof_prod.py b/gestioasso/settings/cof_prod.py
index 28133ebc..b8b1c0ff 100644
--- a/gestioasso/settings/cof_prod.py
+++ b/gestioasso/settings/cof_prod.py
@@ -111,11 +111,17 @@ CORS_ORIGIN_WHITELIST = ("bda.ens.fr", "www.bda.ens.fr" "cof.ens.fr", "www.cof.e
 # Auth-related stuff
 # ---
 
-AUTHENTICATION_BACKENDS += [
-    "gestioncof.shared.COFCASBackend",
-    "kfet.auth.backends.GenericBackend",
-]
-
+AUTHENTICATION_BACKENDS = (
+    [
+        # Must be in first
+        "kfet.auth.backends.BlockFrozenAccountBackend"
+    ]
+    + AUTHENTICATION_BACKENDS
+    + [
+        "gestioncof.shared.COFCASBackend",
+        "kfet.auth.backends.GenericBackend",
+    ]
+)
 LOGIN_URL = "cof-login"
 LOGIN_REDIRECT_URL = "home"
 
diff --git a/kfet/auth/backends.py b/kfet/auth/backends.py
index 55e18458..0f7789a1 100644
--- a/kfet/auth/backends.py
+++ b/kfet/auth/backends.py
@@ -1,4 +1,5 @@
 from django.contrib.auth import get_user_model
+from django.core.exceptions import PermissionDenied
 
 from kfet.models import Account, GenericTeamToken
 
@@ -37,3 +38,36 @@ class GenericBackend(BaseKFetBackend):
         team_token.delete()
 
         return get_kfet_generic_user()
+
+
+class BlockFrozenAccountBackend:
+    def authenticate(self, request, **kwargs):
+        return None
+
+    def get_user(self, user_id):
+        return None
+
+    def has_perm(self, user_obj, perm, obj=None):
+        app_label, _ = perm.split(".")
+        if app_label == "kfet":
+            if (
+                hasattr(user_obj, "profile")
+                and hasattr(user_obj.profile, "account_kfet")
+                and user_obj.profile.account_kfet.is_frozen
+            ):
+                raise PermissionDenied
+
+        # Dans le cas général, on se réfère aux autres backends
+        return False
+
+    def has_module_perms(self, user_obj, app_label):
+        if app_label == "kfet":
+            if (
+                hasattr(user_obj, "profile")
+                and hasattr(user_obj.profile, "account_kfet")
+                and user_obj.profile.account_kfet.is_frozen
+            ):
+                raise PermissionDenied
+
+        # Dans le cas général, on se réfère aux autres backends
+        return False
diff --git a/kfet/decorators.py b/kfet/decorators.py
index 0db0c2e1..70848820 100644
--- a/kfet/decorators.py
+++ b/kfet/decorators.py
@@ -2,13 +2,6 @@ from django.contrib.auth.decorators import user_passes_test
 
 
 def kfet_is_team(user):
-    if (
-        hasattr(user, "profile")
-        and hasattr(user.profile, "account_kfet")
-        and user.profile.account_kfet.is_frozen
-    ):
-        return False
-
     return user.has_perm("kfet.is_team")