🛂(backend) do not duplicate user when disabled

When a user is disabled and tries to login, we don't want the user to be duplicated, the user should not be able to login. Fixes https://github.com/numerique-gouv/people/issues/455
2024-10-11 12:57:13 +02:00
parent 0e48bc0f90
commit d635c484ae
3 changed files with 69 additions and 2 deletions
--- a/src/backend/core/authentication/backends.py
+++ b/src/backend/core/authentication/backends.py
@@ -84,7 +84,10 @@ class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):

        # if sub is absent, try matching on email
        user = self.get_existing_user(sub, email)
+
        if user:
+            if not user.is_active:
+                raise SuspiciousOperation(_("User account is disabled"))
            self.update_user_if_needed(user, claims)
        elif self.get_settings("OIDC_CREATE_USER", True):
            user = User.objects.create(sub=sub, password="!", **claims)  # noqa: S106
@@ -117,11 +120,11 @@ class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
    def get_existing_user(self, sub, email):
        """Fetch existing user by sub or email."""
        try:
-            return User.objects.get(sub=sub, is_active=True)
+            return User.objects.get(sub=sub)
        except User.DoesNotExist:
            if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
                try:
-                    return User.objects.get(email=email, is_active=True)
+                    return User.objects.get(email=email)
                except User.DoesNotExist:
                    pass
        return None