From 87fb7a267790198085820d3532da38beba1b6558 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Fri, 13 Sep 2024 11:04:03 +0200
Subject: [PATCH] check if user is enabled

frontend doesn't handle this state yet, nothing will work as api routes will fail
---
 src/server/middleware/auth.ts    | 2 +-
 src/server/middleware/session.ts | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/server/middleware/auth.ts b/src/server/middleware/auth.ts
index e711afb1..2b987b4a 100644
--- a/src/server/middleware/auth.ts
+++ b/src/server/middleware/auth.ts
@@ -25,7 +25,7 @@ export default defineEventHandler(async (event) => {
     if (!user) {
       return sendRedirect(event, '/login', 302);
     }
-    if (!user.enabled || user.role !== 'ADMIN') {
+    if (user.role !== 'ADMIN') {
       throw createError({
         statusCode: 403,
         statusMessage: 'Not allowed to access Admin Panel',
diff --git a/src/server/middleware/session.ts b/src/server/middleware/session.ts
index 587dbb91..a03e0a96 100644
--- a/src/server/middleware/session.ts
+++ b/src/server/middleware/session.ts
@@ -78,6 +78,13 @@ export default defineEventHandler(async (event) => {
     });
   }
 
+  if (!user.enabled) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Account is disabled',
+    });
+  }
+
   if (url.pathname.startsWith('/api/admin')) {
     if (user.role !== 'ADMIN') {
       throw createError({