From fd04237ad899e966c5ac2a21ce9cf8bf4d39ca34 Mon Sep 17 00:00:00 2001
From: Hannah Ward <hannah.ward01@bbc.co.uk>
Date: Mon, 27 Apr 2020 17:03:07 +0100
Subject: [PATCH] Do not allow deactivated auth to pass mongooseim checks

---
 .../web/mongooseim/mongoose_im_controller.ex        |  2 +-
 test/web/mongooseim/mongoose_im_controller_test.exs | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
index 04d823b36..ee24a61c0 100644
--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@@ -27,7 +27,7 @@ defmodule Pleroma.Web.MongooseIM.MongooseIMController do
 
   def check_password(conn, %{"user" => username, "pass" => password}) do
     with %User{password_hash: password_hash} <-
-           Repo.get_by(User, nickname: username, local: true),
+           Repo.get_by(User, nickname: username, local: true, deactivated: false),
          true <- Pbkdf2.checkpw(password, password_hash) do
       conn
       |> json(true)
diff --git a/test/web/mongooseim/mongoose_im_controller_test.exs b/test/web/mongooseim/mongoose_im_controller_test.exs
index 291ae54fc..319c5f2f8 100644
--- a/test/web/mongooseim/mongoose_im_controller_test.exs
+++ b/test/web/mongooseim/mongoose_im_controller_test.exs
@@ -9,6 +9,7 @@ defmodule Pleroma.Web.MongooseIMController do
   test "/user_exists", %{conn: conn} do
     _user = insert(:user, nickname: "lain")
     _remote_user = insert(:user, nickname: "alice", local: false)
+    _deactivated_user = insert(:user, nickname: "meanie", deactivated: true)
 
     res =
       conn
@@ -30,11 +31,21 @@ defmodule Pleroma.Web.MongooseIMController do
       |> json_response(404)
 
     assert res == false
+
+    res =
+      conn
+      |> get(mongoose_im_path(conn, :user_exists), user: "meanie")
+      |> json_response(404)
+
+    assert res == false
   end
 
   test "/check_password", %{conn: conn} do
     user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"))
 
+    deactivated_user =
+      insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("cool"), deactivated: true)
+
     res =
       conn
       |> get(mongoose_im_path(conn, :check_password), user: user.nickname, pass: "cool")
@@ -55,5 +66,15 @@ defmodule Pleroma.Web.MongooseIMController do
       |> json_response(404)
 
     assert res == false
+
+    res =
+      conn
+      |> get(mongoose_im_path(conn, :check_password),
+        user: deactivated_user.nickname,
+        pass: "cool"
+      )
+      |> json_response(404)
+
+    assert res == false
   end
 end