# HG changeset patch
# User bsw
# Date 1612901236 -3600
# Node ID 45287f1037fbee8ad425adb3ec47aeef9b7b0be1
# Parent  15bde6a79d41f5862ce8742e619e3fd1c000a949
Support precondtions if LDAP accounts may login

diff -r 15bde6a79d41 -r 45287f1037fb env/ldap/update_all_members.lua
--- a/env/ldap/update_all_members.lua	Tue Feb 09 17:40:50 2021 +0100
+++ b/env/ldap/update_all_members.lua	Tue Feb 09 21:07:16 2021 +0100
@@ -35,6 +35,8 @@
       return
     end
 
+    ldap.update_member_allowed(member, ldap_entry)
+
     local err = member:try_save()
     if err then
       failure("member_try_save", err)
diff -r 15bde6a79d41 -r 45287f1037fb env/ldap/update_member_allowed.lua
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/env/ldap/update_member_allowed.lua	Tue Feb 09 21:07:16 2021 +0100
@@ -0,0 +1,10 @@
+function ldap.update_member_allowed(member, ldap_entry)
+  local allowed = config.ldap.member.allowed_map(ldap_entry)
+  if allowed then
+    member.locked = false
+  else
+    member.locked = true
+    member.active = false
+  end
+end
+
diff -r 15bde6a79d41 -r 45287f1037fb model/member.lua
--- a/model/member.lua	Tue Feb 09 17:40:50 2021 +0100
+++ b/model/member.lua	Tue Feb 09 21:07:16 2021 +0100
@@ -413,7 +413,6 @@
   local function prepare_login_selector()
     local selector = self:new_selector()
     selector:add_field({ "now() > COALESCE(last_delegation_check, activated) + ?::interval", config.check_delegations_interval_hard }, "needs_delegation_check_hard")
-    selector:add_where('NOT "locked"')
     selector:optional_object_mode()
     return selector
   end
@@ -476,12 +475,16 @@
         end
 
         -- update the member attributes and privileges from LDAP
-        local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid)
+        local ldap_conn, ldap_entry, err, err2 = ldap.update_member_attr(member, nil, uid)
         if not err then
+          ldap.update_member_allowed(member, ldap_entry)
           local err = member:try_save()
           if err then
             return nil, "member_save_error", err
           end
+          if member.locked then
+            return nil, "member_locked"
+          end
           local succes, err, err2 = ldap.update_member_privileges(member, ldap_entry)
           if err then
             return nil, "update_member_privileges_error", err, err2
@@ -522,8 +525,12 @@
         if config.ldap.member.cache_passwords then
           member:set_password(password)
         end
-        local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid)
+        local ldap_conn, ldap_entry, err, err2 = ldap.update_member_attr(member, nil, uid)
         if not err then
+          ldap.update_member_allowed(member, ldap_entry)
+          if member.locked then
+            return nil, "member_not_allowed"
+          end
           local err = member:try_save()
           if err then
             return nil, "member_save_error", err