feat(auth): block disabled user accounts at the subscription guard
RequireActiveTenantSubscription now optionally takes an AuthRepository and rejects the request with 40311/user_disabled when the actor's user row is anything other than active. Wire the repo through the tenant router, surface the new error code in admin-web's membershipBlockedErrors set, persist a "disabled" membership status when markStoredMembershipBlocked sees user_disabled, and add localized copy on the blocked screen and shell membership banner. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -65,7 +65,10 @@ func RegisterRoutes(app *bootstrap.App) {
|
||||
desktopAuth.POST("/monitoring/tasks/:id/cancel", desktopMonitoringHandler.Cancel)
|
||||
|
||||
tenantProtected := protected.Group("/tenant")
|
||||
tenantProtected.Use(RequireActiveTenantSubscription(repository.NewTenantPlanRepository(app.DB)))
|
||||
tenantProtected.Use(RequireActiveTenantSubscription(
|
||||
repository.NewTenantPlanRepository(app.DB),
|
||||
repository.NewAuthRepository(app.DB),
|
||||
))
|
||||
tenantProtected.GET("/accounts", desktopAccountHandler.TenantList)
|
||||
tenantProtected.POST("/accounts/:id/request-delete", desktopAccountHandler.RequestDelete)
|
||||
tenantProtected.POST("/tasks/:id/reconcile", desktopTaskHandler.Reconcile)
|
||||
|
||||
Reference in New Issue
Block a user