rejected users

CanDIG · Jan 14, 2025 · f909797 · f909797
1 parent 4fe5985
commit f909797
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/src/authx/auth.py b/src/authx/auth.py
@@ -697,6 +697,11 @@ def write_user_in_opa(user_dict):
 
 def get_user_in_opa(user_name):
     safe_name = urllib.parse.quote_plus(user_name)
+    response, status_code = get_service_store_secret("opa", key=f"users/rejected_users")
+    if status_code == 200:
+        if safe_name in response["rejected_users"]:
+            return {"error": f"User {safe_name} has been rejected from CanDIG"}, 403
+
     response, status_code = get_service_store_secret("opa", key=f"users/{safe_name}")
     # return 404 if the user is not found
     if status_code == 404:
@@ -721,6 +726,13 @@ def remove_user_from_opa(user_name):
 #####
 
 def add_pending_user_to_opa(user_token):
+    # check to see if this user has already been rejected:
+    response, status_code = get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    if user_name in response["rejected_users"]:
+        return {"error": "This user has already been rejected by CanDIG"}, 403
+
     # NB: any user that has been authenticated by the IDP should be able to add themselves to the pending user list
     response, status_code = get_service_store_secret("opa", key=f"pending_users")
     if status_code != 200:
@@ -783,10 +795,20 @@ def reject_pending_user_in_opa(user_name):
         return response, status_code
     pending_users = response["pending_users"]
 
+    response, status_code = get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    rejected_users = response["rejected_users"]
+
     if user_name in pending_users:
         pending_users.pop(user_name)
         response, status_code = set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"pending_users": pending_users}))
 
+        # add the user to the rejected users, if they're not already there:
+        if user_name not in rejected_users:
+            rejected_users[user_name] = user_dict
+            response, status_code = set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"rejected_users": rejected_users}))
+
     else:
         return {"error": f"no pending user with ID {user_name}"}, 404
     return response, status_code