Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Block API usage by deactivated users. 

Previously we rested on the safety of randomised API keys to ensure that
deactivated users could not use the product. Here, we add an explicit check
to prevent that.

(imported from commit e32f355fb35b898d43503b96efb291f795aac881)
This commit is contained in:
Luke Faraone 2013-07-05 22:01:43 -04:00
parent 1b670f0f69
commit b715cd2034
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
zephyr/decorator.py
View File

@ -74,6 +74,8 @@ def validate_api_key(email, api_key):
raise JsonableError("Invalid user: %s" % (email,))
if api_key != user_profile.api_key:
raise JsonableError("Invalid API key for user '%s'" % (email,))
if not user_profile.is_active:
raise JsonableError("User account is not active")
return user_profile
# authenticated_api_view will add the authenticated user's user_profile to