feat: locked users cannot be impersonated

2024-04-12 12:12:08 +02:00 · 2024-04-12 12:12:08 +02:00 · f9989a960b
commit f9989a960b
parent 565d57a887
4 changed files with 25 additions and 1 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,3 +1,7 @@
+Changed
+^^^^^^^
+- Locked users cannot be impersonated anymore.
+
 [0.0.51] - 2024-04-09
 ---------------------

--- a/canaille/core/endpoints/account.py
+++ b/canaille/core/endpoints/account.py
@ -818,6 +818,9 @@ def profile_delete(user, edited_user):
@bp.route("/impersonate/<user:puppet>")
@permissions_needed("impersonate_users")
 def impersonate(user, puppet):
+    if puppet.locked:
+        abort(403, _("Locked users cannot be impersonated."))
+
    login_user(puppet)
    flash(
        _("Connection successful. Welcome %(user)s", user=puppet.formatted_name),
--- a/canaille/core/templates/profile_settings.html
+++ b/canaille/core/templates/profile_settings.html
@ -156,7 +156,7 @@
                        </button>
                    {% endif %}

-                    {% if user.can_impersonate_users and user.identifier != edited_user.identifier %}
+                    {% if user.can_impersonate_users and user.identifier != edited_user.identifier and not edited_user.locked %}
                        <a href="{{ url_for('core.account.impersonate', puppet=edited_user) }}" class="ui right floated basic button" name="action" value="impersonate" id="impersonate" hx-boost="false">
                            {{ _("Impersonate") }}
                        </a>
--- a/tests/core/test_profile_settings.py
+++ b/tests/core/test_profile_settings.py
@ -265,6 +265,23 @@ def test_impersonate_invalid_user(testclient, backend, logged_admin):
    testclient.get("/impersonate/invalid", status=404)


+def test_impersonate_locked_user(testclient, backend, logged_admin, user):
+    res = testclient.get("/profile/user/settings")
+    res.mustcontain("Impersonate")
+
+    user.lock_date = datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(
+        days=1
+    )
+    user.save()
+
+    assert user.locked
+    res = testclient.get("/profile/user/settings")
+    res.mustcontain(no="Impersonate")
+
+    res = testclient.get("/impersonate/user", status=403)
+    res.mustcontain("Locked users cannot be impersonated.")
+
+
 def test_invalid_form_request(testclient, logged_admin):
    res = testclient.get("/profile/admin/settings")
    res = res.form.submit(name="action", value="invalid-action", status=400)