diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py index d545d8559..4d4e184fd 100644 --- a/authentik/stages/user_login/stage.py +++ b/authentik/stages/user_login/stage.py @@ -5,6 +5,7 @@ from django.http import HttpRequest, HttpResponse from django.utils.translation import gettext as _ from structlog.stdlib import get_logger +from authentik.core.models import User from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER from authentik.flows.stage import StageView from authentik.lib.utils.time import timedelta_from_string @@ -32,9 +33,12 @@ class UserLoginStageView(StageView): backend = self.executor.plan.context.get( PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT ) + user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] + if not user.is_active: + LOGGER.warning("User is not active, login will not work.") login( self.request, - self.executor.plan.context[PLAN_CONTEXT_PENDING_USER], + user, backend=backend, ) delta = timedelta_from_string(self.executor.current_stage.session_duration) @@ -45,7 +49,7 @@ class UserLoginStageView(StageView): LOGGER.debug( "Logged in", backend=backend, - user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER], + user=user, flow_slug=self.executor.flow.slug, session_duration=self.executor.current_stage.session_duration, ) diff --git a/authentik/stages/user_login/tests.py b/authentik/stages/user_login/tests.py index 680a7e437..c20509452 100644 --- a/authentik/stages/user_login/tests.py +++ b/authentik/stages/user_login/tests.py @@ -109,3 +109,29 @@ class TestUserLoginStage(APITestCase): }, }, ) + + def test_inactive_account(self): + """Test with a valid pending user and backend""" + self.user.is_active = False + self.user.save() + plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) + plan.context[PLAN_CONTEXT_PENDING_USER] = self.user + session = self.client.session + session[SESSION_KEY_PLAN] = plan + session.save() + + response = self.client.get( + reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}) + ) + + self.assertEqual(response.status_code, 200) + self.assertJSONEqual( + force_str(response.content), + { + "component": "xak-flow-redirect", + "to": reverse("authentik_core:root-redirect"), + "type": ChallengeTypes.REDIRECT.value, + }, + ) + response = self.client.get(reverse("authentik_api:application-list")) + self.assertEqual(response.status_code, 403)