From 0b6098e346725bc3d203bfcb3d03b6c87fb9064e Mon Sep 17 00:00:00 2001
From: Lukas Krause <lkrause@suse.de>
Date: Mon, 24 Oct 2022 14:11:49 +0200
Subject: [PATCH] Don't allow unconfirmed users to trigger tokens through webui

Fixes #13261
---
 src/api/app/policies/token_policy.rb       | 2 ++
 src/api/spec/policies/token_policy_spec.rb | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/src/api/app/policies/token_policy.rb b/src/api/app/policies/token_policy.rb
index d6a55146d23..ca3b9dc87a0 100644
--- a/src/api/app/policies/token_policy.rb
+++ b/src/api/app/policies/token_policy.rb
@@ -44,6 +44,8 @@ def destroy?
   end
 
   def webui_trigger?
+    return false unless user.is_active?
+
     record.executor == user && !record.type.in?(['Token::Workflow', 'Token::Rss'])
   end
 
diff --git a/src/api/spec/policies/token_policy_spec.rb b/src/api/spec/policies/token_policy_spec.rb
index 502e464b15c..c36d9d923f2 100644
--- a/src/api/spec/policies/token_policy_spec.rb
+++ b/src/api/spec/policies/token_policy_spec.rb
@@ -5,6 +5,8 @@
   let(:user_token) { create(:rebuild_token, executor: token_user) }
   let(:group) { create(:group_with_user) }
   let(:other_user) { group.users.first }
+  let(:unconfirmed_user) { create(:user, state: 'unconfirmed') }
+  let(:token_of_unconfirmed_user) { create(:rebuild_token, executor: unconfirmed_user) }
 
   let(:workflow_token) { create(:workflow_token, executor: token_user) }
   let(:rss_token) { create(:rss_token, executor: token_user) }
@@ -24,6 +26,7 @@
 
   permissions :webui_trigger? do
     it { is_expected.not_to permit(token_user, workflow_token) }
+    it { is_expected.not_to permit(unconfirmed_user, token_of_unconfirmed_user) }
   end
 
   describe TokenPolicy::Scope do