From ce8e5f3d056829bfa7a845f9dc2757e21e419ddc Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Mon, 17 Oct 2022 12:29:18 -0500
Subject: [PATCH] Block disabled user session auth Do not allow users that are
 disabled to be logged in via cookie. Allow all auth methods to disable users

---
 app/Http/Kernel.php                       |  1 +
 app/Http/Middleware/VerifyUserEnabled.php | 30 +++++++++++++++++++++++
 resources/lang/en/auth.php                |  2 +-
 resources/views/auth/login.blade.php      |  3 +++
 resources/views/user/form.blade.php       |  6 ++---
 5 files changed, 37 insertions(+), 5 deletions(-)
 create mode 100644 app/Http/Middleware/VerifyUserEnabled.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 23d17ee67a5b..48ada64413f3 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -36,6 +36,7 @@ class Kernel extends HttpKernel
             \Illuminate\Session\Middleware\StartSession::class,
             \Illuminate\Session\Middleware\AuthenticateSession::class,
             \Illuminate\View\Middleware\ShareErrorsFromSession::class,
+            \App\Http\Middleware\VerifyUserEnabled::class,
             \App\Http\Middleware\VerifyCsrfToken::class,
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
         ],
diff --git a/app/Http/Middleware/VerifyUserEnabled.php b/app/Http/Middleware/VerifyUserEnabled.php
new file mode 100644
index 000000000000..35896fd70cd4
--- /dev/null
+++ b/app/Http/Middleware/VerifyUserEnabled.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+
+class VerifyUserEnabled
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
+     * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (Auth::check() && ! Auth::user()->enabled) {
+            Auth::logout();
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+
+            return redirect()->route('login')->withErrors(['msg' => __('auth.disabled')]);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/resources/lang/en/auth.php b/resources/lang/en/auth.php
index 42e108f90be3..319ab33c4ea5 100644
--- a/resources/lang/en/auth.php
+++ b/resources/lang/en/auth.php
@@ -16,5 +16,5 @@
     'title' => 'Auth',
     'failed' => 'These credentials do not match our records.',
     'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
-
+    'disabled' => 'Your Account is disabled, please contact Admin.',
 ];
diff --git a/resources/views/auth/login.blade.php b/resources/views/auth/login.blade.php
index b126ba6eb45a..5168fda0d80b 100644
--- a/resources/views/auth/login.blade.php
+++ b/resources/views/auth/login.blade.php
@@ -7,5 +7,8 @@
             @include('auth.login-form')
         </div>
     </div>
+    @if($errors->any())
+        <script>toastr.error('{{ $errors->first() }}')</script>
+    @endif
 </div>
 @endsection
diff --git a/resources/views/user/form.blade.php b/resources/views/user/form.blade.php
index 725703fc2899..c3aa052e3f00 100644
--- a/resources/views/user/form.blade.php
+++ b/resources/views/user/form.blade.php
@@ -6,15 +6,13 @@
     </div>
 </div>
 
-@if(\LibreNMS\Config::get('auth_mechanism') == 'mysql')
 <div class="form-group @if($errors->has('enabled')) has-error @endif">
     <label for="enabled" class="control-label col-sm-3">{{ __('Enabled') }}</label>
     <div class="col-sm-9">
-        <input type="hidden" value="@if(Auth::id() == $user->user_id) 1 else 0 @endif" name="enabled">
-        <input type="checkbox" id="enabled" name="enabled" data-size="small" @if(old('enabled', $user->enabled)) checked @endif @if(Auth::id() == $user->user_id) disabled @endif>
+        <input type="hidden" value="@if(Auth::id() == $user->user_id) 1 @else 0 @endif" name="enabled">
+        <input type="checkbox" id="enabled" name="enabled" data-size="small" @if(old('enabled', $user->enabled ?? true)) checked @endif @if(Auth::id() == $user->user_id) disabled @endif>
     </div>
 </div>
-@endif
 
 <div class="form-group @if($errors->has('email')) has-error @endif">
     <label for="email" class="control-label col-sm-3">{{ __('Email') }}</label>