diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index a96a111c67..4d07458ca2 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -2112,6 +2112,24 @@ class TestLDAP(ZulipTestCase): assert(user_profile is not None) self.assertEqual(user_profile.email, self.example_email("hamlet")) + @override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',)) + def test_login_failure_due_to_deactivated_user(self): + # type: () -> None + self.mock_ldap.directory = { + 'uid=hamlet,ou=users,dc=zulip,dc=com': { + 'userPassword': 'testing' + } + } + user_profile = self.example_user("hamlet") + do_deactivate_user(user_profile) + with self.settings( + LDAP_APPEND_DOMAIN='zulip.com', + AUTH_LDAP_BIND_PASSWORD='', + AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'): + user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing', + realm=get_realm('zulip')) + self.assertIs(user_profile, None) + @override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',)) def test_login_success_when_user_does_not_exist_with_valid_subdomain(self): # type: () -> None diff --git a/zproject/backends.py b/zproject/backends.py index c12db3216c..fed5a0f669 100644 --- a/zproject/backends.py +++ b/zproject/backends.py @@ -474,8 +474,7 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase): if return_data.get("inactive_realm"): raise ZulipLDAPException("Realm has been deactivated") if return_data.get("inactive_user"): - # Bug: This isn't the correct response, but it's what the old code did. - raise ZulipLDAPException("Realm has been deactivated") + raise ZulipLDAPException("User has been deactivated") if return_data.get("invalid_subdomain"): # TODO: Implement something in the caller for this to # provide a nice user-facing error message for this