fix(webserver): disallow changing row of inactive user (TabbyML#1799)

CatsPunch · Apr 10, 2024 · 266c38e · 266c38e
1 parent ee20c0d
commit 266c38e
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/ee/tabby-webserver/src/service/auth.rs b/ee/tabby-webserver/src/service/auth.rs
@@ -288,9 +288,15 @@ impl AuthenticationService for AuthenticationServiceImpl {
 
         let id = id.as_rowid()?;
         let user = self.db.get_user(id).await?.context("User doesn't exits")?;
+
+        if !user.active {
+            return Err(anyhow!("Inactive user's status cannot be changed").into());
+        }
+
         if user.is_owner() {
             return Err(anyhow!("The owner's admin status cannot be changed").into());
         }
+
         Ok(self.db.update_user_role(id, is_admin).await?)
     }
 
@@ -972,6 +978,16 @@ mod tests {
             .update_user_role(&user_id.as_id(), true)
             .await
             .is_ok());
+
+        // Inactive user's role cannot be changed
+        service
+            .update_user_active(&user_id.as_id(), false)
+            .await
+            .unwrap();
+        assert!(service
+            .update_user_role(&user_id.as_id(), false)
+            .await
+            .is_err());
     }
 
     #[tokio::test]