feat:check staff status before login #929 (#945)

TencentBlueKing · Mar 27, 2023 · 705515d · 705515d
1 parent e055f3d
commit 705515d
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/src/api/bkuser_core/api/login/views.py b/src/api/bkuser_core/api/login/views.py
@@ -38,7 +38,7 @@
 from bkuser_core.categories.models import ProfileCategory
 from bkuser_core.common.cache import clear_cache_if_succeed
 from bkuser_core.common.error_codes import error_codes
-from bkuser_core.profiles.constants import ProfileStatus
+from bkuser_core.profiles.constants import ProfileStatus, StaffStatus
 from bkuser_core.profiles.models import Profile, ProfileTokenHolder
 from bkuser_core.profiles.utils import align_country_iso_code, make_passwd_reset_url_by_token, parse_username_domain
 from bkuser_core.profiles.validators import validate_username
@@ -134,6 +134,17 @@ def login(self, request):
                 raise error_codes.PASSWORD_ERROR
                 # NOTE: 安全原因, 不能返回账户状态
                 # raise error_codes.USER_IS_LOCKED
+            elif profile.staff_status == StaffStatus.OUT.value:
+                create_profile_log(
+                    profile=profile,
+                    operation="Login",
+                    request=request,
+                    params={"is_success": False, "reason": LogInFailReason.RESIGNED_USER.value},
+                )
+                logger.info("login check, profile<%s> of %s is resigned", profile.username, message_detail)
+                raise error_codes.PASSWORD_ERROR
+                # NOTE: 安全原因, 不能返回账户状态
+                # raise error_codes.USER_IS_RESIGNED
 
             # 获取密码配置
             auto_unlock_seconds = int(config_loader["auto_unlock_seconds"])

diff --git a/src/api/bkuser_core/audit/constants.py b/src/api/bkuser_core/audit/constants.py
@@ -22,6 +22,7 @@ class LogInFailReason(AutoLowerEnum):
     LOCKED_USER = auto()
     DISABLED_USER = auto()
     EXPIRED_USER = auto()
+    RESIGNED_USER = auto()
     SHOULD_CHANGE_INITIAL_PASSWORD = auto()
 
     _choices_labels = (
@@ -31,6 +32,7 @@ class LogInFailReason(AutoLowerEnum):
         (LOCKED_USER, "用户已锁定"),
         (DISABLED_USER, "用户已删除"),
         (EXPIRED_USER, "用户账号已过期"),
+        (RESIGNED_USER, "用户已离职"),
         (SHOULD_CHANGE_INITIAL_PASSWORD, "需要修改初始密码"),
     )
 

diff --git a/src/api/bkuser_core/common/error_codes.py b/src/api/bkuser_core/common/error_codes.py
@@ -118,6 +118,7 @@ def __getattr__(self, code_name):
         ErrorCode("USER_IS_DELETED", _("账号已被删除，请联系管理员"), 3210022),
         ErrorCode("CATEGORY_PLUGIN_LOAD_FAIL", _("目录登录插件加载失败"), 3210023),
         ErrorCode("USER_IS_EXPIRED", _("该用户账号已过期"), 3210024),
+        ErrorCode("USER_IS_RESIGNED", _("该用户账号已离职"), 3210025),
         # 用户相关
         ErrorCode("PASSWORD_DUPLICATED", _("新密码不能与最近{max_password_history}次密码相同")),
         ErrorCode("EMAIL_NOT_PROVIDED", _("该用户没有提供邮箱，发送邮件失败")),