Merge pull request #24660 from owncloud/no-token-login-for-disabled-users

don't allow token login for disabled users

2 files changed, 36 insertions, 0 deletions

diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 3f074fa8adf..7104f46fea2 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -362,6 +362,10 @@ class Session implements IUserSession, Emitter {
 			// user does not exist
 			return false;
 		}
+		if (!$user->isEnabled()) {
+			// disabled users can not log in
+			return false;
+		}
 
 		//login
 		$this->setUser($user);
diff --git a/tests/lib/user/session.php b/tests/lib/user/session.php
index 710d5ae20b3..444735b854f 100644
--- a/tests/lib/user/session.php
+++ b/tests/lib/user/session.php
@@ -477,4 +477,36 @@ class Session extends \Test\TestCase {
 		$this->assertEquals($users['bar'], $userSession->getUser());
 	}
 
+	public function testTryTokenLoginWithDisabledUser() {
+		$manager = $this->getMockBuilder('\OC\User\Manager')
+			->disableOriginalConstructor()
+			->getMock();
+		$session = new Memory('');
+		$token = $this->getMock('\OC\Authentication\Token\IToken');
+		$user = $this->getMock('\OCP\IUser');
+		$userSession = new \OC\User\Session($manager, $session, $this->timeFactory, $this->defaultProvider);
+		$request = $this->getMock('\OCP\IRequest');
+
+		$request->expects($this->once())
+			->method('getHeader')
+			->with('Authorization')
+			->will($this->returnValue('token xxxxx'));
+		$this->defaultProvider->expects($this->once())
+			->method('validateToken')
+			->with('xxxxx')
+			->will($this->returnValue($token));
+		$token->expects($this->once())
+			->method('getUID')
+			->will($this->returnValue('user123'));
+		$manager->expects($this->once())
+			->method('get')
+			->with('user123')
+			->will($this->returnValue($user));
+		$user->expects($this->once())
+			->method('isEnabled')
+			->will($this->returnValue(false));
+
+		$this->assertFalse($userSession->tryTokenLogin($request));
+	}
+
 }