Auth: Logout disabled user (#17166)

* Feature: revoke user token when disabled

* Chore: fix linter error

pkg/api/admin_users.go

@@ -112,43 +112,44 @@ func AdminDeleteUser(c *models.ReqContext) {
 }
 }
 
 
 // POST /api/admin/users/:id/disable
 // POST /api/admin/users/:id/disable
-func AdminDisableUser(c *models.ReqContext) {
+func (server *HTTPServer) AdminDisableUser(c *models.ReqContext) Response {
 	userID := c.ParamsInt64(":id")
 	userID := c.ParamsInt64(":id")
 
 
 	// External users shouldn't be disabled from API
 	// External users shouldn't be disabled from API
 	authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
 	authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
 	if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
 	if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
-		c.JsonApiErr(500, "Could not disable external user", nil)
-		return
+		return Error(500, "Could not disable external user", nil)
 	}
 	}
 
 
 	disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: true}
 	disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: true}
 	if err := bus.Dispatch(&disableCmd); err != nil {
 	if err := bus.Dispatch(&disableCmd); err != nil {
-		c.JsonApiErr(500, "Failed to disable user", err)
-		return
+		return Error(500, "Failed to disable user", err)
+	}
+
+	err := server.AuthTokenService.RevokeAllUserTokens(c.Req.Context(), userID)
+	if err != nil {
+		return Error(500, "Failed to disable user", err)
 	}
 	}
 
 
-	c.JsonOK("User disabled")
+	return Success("User disabled")
 }
 }
 
 
 // POST /api/admin/users/:id/enable
 // POST /api/admin/users/:id/enable
-func AdminEnableUser(c *models.ReqContext) {
+func AdminEnableUser(c *models.ReqContext) Response {
 	userID := c.ParamsInt64(":id")
 	userID := c.ParamsInt64(":id")
 
 
 	// External users shouldn't be disabled from API
 	// External users shouldn't be disabled from API
 	authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
 	authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
 	if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
 	if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
-		c.JsonApiErr(500, "Could not enable external user", nil)
-		return
+		return Error(500, "Could not enable external user", nil)
 	}
 	}
 
 
 	disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: false}
 	disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: false}
 	if err := bus.Dispatch(&disableCmd); err != nil {
 	if err := bus.Dispatch(&disableCmd); err != nil {
-		c.JsonApiErr(500, "Failed to enable user", err)
-		return
+		return Error(500, "Failed to enable user", err)
 	}
 	}
 
 
-	c.JsonOK("User enabled")
+	return Success("User enabled")
 }
 }
 
 
 // POST /api/admin/users/:id/logout
 // POST /api/admin/users/:id/logout

pkg/api/admin_users_test.go

@@ -222,16 +222,23 @@ func adminDisableUserScenario(desc string, action string, url string, routePatte
 	Convey(desc+" "+url, func() {
 	Convey(desc+" "+url, func() {
 		defer bus.ClearBusHandlers()
 		defer bus.ClearBusHandlers()
 
 
+		fakeAuthTokenService := auth.NewFakeUserAuthTokenService()
+
+		hs := HTTPServer{
+			Bus:              bus.GetBus(),
+			AuthTokenService: fakeAuthTokenService,
+		}
+
 		sc := setupScenarioContext(url)
 		sc := setupScenarioContext(url)
-		sc.defaultHandler = Wrap(func(c *m.ReqContext) {
+		sc.defaultHandler = Wrap(func(c *m.ReqContext) Response {
 			sc.context = c
 			sc.context = c
 			sc.context.UserId = TestUserID
 			sc.context.UserId = TestUserID
 
 
 			if action == "enable" {
 			if action == "enable" {
-				AdminEnableUser(c)
-			} else {
-				AdminDisableUser(c)
+				return AdminEnableUser(c)
 			}
 			}
+
+			return hs.AdminDisableUser(c)
 		})
 		})
 
 
 		sc.m.Post(routePattern, sc.defaultHandler)
 		sc.m.Post(routePattern, sc.defaultHandler)

pkg/api/api.go

@@ -381,8 +381,8 @@ func (hs *HTTPServer) registerRoutes() {
 		adminRoute.Put("/users/:id/password", bind(dtos.AdminUpdateUserPasswordForm{}), AdminUpdateUserPassword)
 		adminRoute.Put("/users/:id/password", bind(dtos.AdminUpdateUserPasswordForm{}), AdminUpdateUserPassword)
 		adminRoute.Put("/users/:id/permissions", bind(dtos.AdminUpdateUserPermissionsForm{}), AdminUpdateUserPermissions)
 		adminRoute.Put("/users/:id/permissions", bind(dtos.AdminUpdateUserPermissionsForm{}), AdminUpdateUserPermissions)
 		adminRoute.Delete("/users/:id", AdminDeleteUser)
 		adminRoute.Delete("/users/:id", AdminDeleteUser)
-		adminRoute.Post("/users/:id/disable", AdminDisableUser)
-		adminRoute.Post("/users/:id/enable", AdminEnableUser)
+		adminRoute.Post("/users/:id/disable", Wrap(hs.AdminDisableUser))
+		adminRoute.Post("/users/:id/enable", Wrap(AdminEnableUser))
 		adminRoute.Get("/users/:id/quotas", Wrap(GetUserQuotas))
 		adminRoute.Get("/users/:id/quotas", Wrap(GetUserQuotas))
 		adminRoute.Put("/users/:id/quotas/:target", bind(m.UpdateUserQuotaCmd{}), Wrap(UpdateUserQuota))
 		adminRoute.Put("/users/:id/quotas/:target", bind(m.UpdateUserQuotaCmd{}), Wrap(UpdateUserQuota))
 		adminRoute.Get("/stats", AdminGetStats)
 		adminRoute.Get("/stats", AdminGetStats)