nf-tower icon indicating copy to clipboard operation
nf-tower copied to clipboard

Published 20 hours ago verified publisher icon seqeralabs

Add user disabled flag

Open pditommaso opened this issue 6 years ago • 8 comments

It should be added a flag to prevent a user to access the services even if he has a valid JWT token.

pditommaso avatar Sep 11 '19 20:09 pditommaso

Added User.disabled field 9096c71.

pditommaso avatar Sep 11 '19 21:09 pditommaso

Tried to add a custom security rule with no success.

@Slf4j
@CompileStatic
class DisabledUserSecurityRule implements SecurityRule {
    SecurityRuleResult check(HttpRequest request, @Nullable RouteMatch routeMatch, @Nullable  Map<String, Object> claims) {
        log.debug "+++ reject"
        SecurityRuleResult.REJECTED
    }

}

The idea is to add a check on un the User.disabled flag

pditommaso avatar Sep 12 '19 08:09 pditommaso

A better strategy is to use the AuthGuard at client level to prevent the access and shows a This account has been suspended page.

pditommaso avatar Sep 12 '19 08:09 pditommaso

Done in branch user_disabled.

tcrespog avatar Sep 12 '19 11:09 tcrespog

For the series never happy, why adding a new controller action for this

    @Get('/status')
    @Transactional
    HttpResponse<GetUserStatusResponse> status(Authentication authentication) {
        final User user = userService.getFromAuthData(authentication)
        if (!user) {
            return HttpResponse.badRequest(new GetUserStatusResponse(message: "Cannot find user with name ${authentication.getName()}"))
        }

        log.debug "Getting status for user id=${user.id} userName=${user.userName} email=${user.email} disabled=${user.disabled}"
        return HttpResponse.ok(new GetUserStatusResponse(disabled: user.disabled))
    }

Could not be used the new profile one ?

    @Get('/')
    @Transactional
    HttpResponse<GetUserResponse> profile(Authentication authentication) {
        final User user = userService.getFromAuthData(authentication)
        if (!user) {
            return HttpResponse.badRequest(new GetUserResponse(message: "Cannot find user with name ${authentication.getName()}"))
        }

        log.debug "Getting profile for user id=${user.id} userName=${user.userName} email=${user.email}n"
        HttpResponse.ok(new GetUserResponse(user: user))
    }

pditommaso avatar Sep 12 '19 12:09 pditommaso

For the series never happy

😂

Could not be used the new profile one ?

And get the full user info? Well it could be, but seems too much if we are interested in just the disabled status.

tcrespog avatar Sep 12 '19 12:09 tcrespog

I would mainly avoid so too many interactions with the backend. When the /profile is invoked? I was thinking that it could be possible to use just that one.

pditommaso avatar Sep 12 '19 12:09 pditommaso

Once the user is logged in. But look out! 🚨🚨 The disabled status shouldn't be retrieved from the stored user info because it could be manipulated by the user. A request should be made to the server in order to obtain the status from the source. Moreover, the disabled status could change between one interaction and another.

tcrespog avatar Sep 12 '19 12:09 tcrespog