disallow access to locked users

ssundahlTTD · ssundahlTTD · commit febde23b96a5 · 2025-03-04T15:48:20.000-07:00
diff --git a/src/api/entities/User.ts b/src/api/entities/User.ts
@@ -63,6 +63,7 @@ export class User extends BaseModel {
   declare jobFunction: UserJobFunction;
   declare participants?: Participant[];
   declare acceptedTerms: boolean;
+  declare locked?: boolean;
   declare userToParticipantRoles?: UserToParticipantRole[];
 
   static readonly modifiers = {
@@ -85,6 +86,7 @@ export const UserSchema = z.object({
   phone: z.string().optional(),
   jobFunction: z.nativeEnum(UserJobFunction).optional(),
   acceptedTerms: z.boolean(),
+  locked: z.boolean().optional(),
 });
 
 export const UserCreationPartial = UserSchema.pick({
diff --git a/src/api/middleware/usersMiddleware.ts b/src/api/middleware/usersMiddleware.ts
@@ -46,6 +46,9 @@ export const enrichCurrentUser = async (req: UserRequest, res: Response, next: N
   if (!user) {
     return res.status(404).send([{ message: 'The user cannot be found.' }]);
   }
+  if (user.locked) {
+    return res.status(403).send([{ message: 'Unauthorized.' }]);
+  }
   req.user = user;
   return next();
 };
diff --git a/src/web/App.tsx b/src/web/App.tsx
@@ -6,6 +6,7 @@ import { EnvironmentBanner } from './components/Core/Banner/EnvironmentBanner';
 import { ErrorView } from './components/Core/ErrorView/ErrorView';
 import { Loading } from './components/Core/Loading/Loading';
 import { ToastContainerWrapper } from './components/Core/Popups/Toast';
+import { LockedUserView } from './components/Navigation/LockedUserView';
 import { NoParticipantAccessView } from './components/Navigation/NoParticipantAccessView';
 import { PortalHeader } from './components/PortalHeader/PortalHeader';
 import { UpdatesTour } from './components/SiteTour/UpdatesTour';
@@ -25,6 +26,9 @@ function AppContent() {
   const { participant } = useContext(ParticipantContext);
   const isLocalDev = process.env.NODE_ENV === 'development';
 
+  if (LoggedInUser?.isLocked) {
+    return <LockedUserView />;
+  }
   if (LoggedInUser?.user?.participants!.length === 0) {
     return <ErrorView message='You do not have access to any participants.' />;
   }
diff --git a/src/web/components/Navigation/LockedUserView.scss b/src/web/components/Navigation/LockedUserView.scss
@@ -0,0 +1,14 @@
+.user-locked-container {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 4.5rem 6.5rem;
+  font-size: 2rem;
+  background-color: var(--theme-background-content);
+  height: 100vh;
+
+  .no-access-text {
+    font-weight: bold;
+    margin-bottom: 0.25rem;
+  }
+}
diff --git a/src/web/components/Navigation/LockedUserView.tsx b/src/web/components/Navigation/LockedUserView.tsx
@@ -0,0 +1,9 @@
+import './LockedUserView.scss';
+
+export function LockedUserView() {
+  return (
+    <div className='user-locked-container'>
+      <p className='no-access-text'>Access Forbidden.</p>
+    </div>
+  );
+}
diff --git a/src/web/contexts/CurrentUserProvider.tsx b/src/web/contexts/CurrentUserProvider.tsx
@@ -26,10 +26,11 @@ function CurrentUserProvider({ children }: Readonly<{ children: ReactNode }>) {
     setIsLoading(true);
     try {
       const profile = await keycloak.loadUserProfile();
-      const user = await GetLoggedInUserAccount();
+      const { user, isLocked } = await GetLoggedInUserAccount();
       SetLoggedInUser({
         profile,
         user,
+        isLocked,
       });
     } catch (e: unknown) {
       if (e instanceof Error) throwError(e);
diff --git a/src/web/services/userAccount.ts b/src/web/services/userAccount.ts
@@ -10,6 +10,7 @@ import { backendError } from '../utils/apiError';
 export type UserAccount = {
   profile: KeycloakProfile;
   user: UserWithParticipantRoles | null;
+  isLocked?: boolean;
 };
 
 export type InviteTeamMemberForm = {
@@ -20,17 +21,23 @@ export type InviteTeamMemberForm = {
   userRoleId?: number;
 };
 
+export type LoggedInUser = {
+  user: UserWithParticipantRoles | null;
+  isLocked?: boolean;
+};
+
 export type UpdateTeamMemberForm = Omit<InviteTeamMemberForm, 'email'>;
 
 export type UserPayload = z.infer<typeof UserCreationPartial>;
 
-export async function GetLoggedInUserAccount(): Promise<UserWithParticipantRoles | null> {
+export async function GetLoggedInUserAccount(): Promise<LoggedInUser> {
   try {
     const result = await axios.get<UserWithParticipantRoles>(`/users/current`, {
-      validateStatus: (status) => [200, 404].includes(status),
+      validateStatus: (status) => [200, 403, 404].includes(status),
     });
-    if (result.status === 200) return result.data;
-    return null;
+    if (result.status === 403) return { user: null, isLocked: true };
+    if (result.status === 200) return { user: result.data };
+    return { user: null };
   } catch (e: unknown) {
     throw backendError(e, 'Could not get user account');
   }
