From caca29d354008d6eb10f17d05fb0df4dd2091d31 Mon Sep 17 00:00:00 2001
From: Raj Nandan Sharma <rajnandan1@gmail.com>
Date: Wed, 25 Feb 2026 00:01:49 +0530
Subject: [PATCH] ensure inactive users cannot log in and restrict actions for
 non-admin roles. Fixes #600

---
 src/lib/server/controllers/userController.ts        | 3 +++
 src/routes/(account)/account/signin/+page.server.ts | 7 +++++++
 src/routes/(manage)/manage/api/+server.ts           | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/src/lib/server/controllers/userController.ts b/src/lib/server/controllers/userController.ts
index cfcefb15..cb6e0bd2 100644
--- a/src/lib/server/controllers/userController.ts
+++ b/src/lib/server/controllers/userController.ts
@@ -251,6 +251,9 @@ export const GetLoggedInSession = async (cookies: Cookies): Promise<UserRecordPu
   if (!userDB) {
     return null;
   }
+  if (!userDB.is_active) {
+    return null;
+  }
   return userDB;
 };
 
diff --git a/src/routes/(account)/account/signin/+page.server.ts b/src/routes/(account)/account/signin/+page.server.ts
index 32af9205..c3f09ccc 100644
--- a/src/routes/(account)/account/signin/+page.server.ts
+++ b/src/routes/(account)/account/signin/+page.server.ts
@@ -51,6 +51,13 @@ export const actions: Actions = {
       return fail(401, { error: "Invalid password or Email", values: { email } });
     }
 
+    if (!userDB.is_active) {
+      return fail(403, {
+        error: "Your account has been deactivated. Please contact an administrator.",
+        values: { email },
+      });
+    }
+
     const token = await GenerateToken(userDB);
     const cookieConfig = CookieConfig();
     cookies.set(cookieConfig.name, token, {
diff --git a/src/routes/(manage)/manage/api/+server.ts b/src/routes/(manage)/manage/api/+server.ts
index d84b3c5c..62075b0e 100644
--- a/src/routes/(manage)/manage/api/+server.ts
+++ b/src/routes/(manage)/manage/api/+server.ts
@@ -199,6 +199,7 @@ export async function POST({ request, cookies }) {
       AdminEditorCan(userDB.role);
       resp = await CreateUpdateMonitor(data);
     } else if (action == "updateMonitoringData") {
+      AdminEditorCan(userDB.role);
       data.type = GC.MANUAL;
       resp = await UpdateMonitoringData(data);
     } else if (action == "getMonitors") {
@@ -291,6 +292,7 @@ export async function POST({ request, cookies }) {
       AdminEditorCan(userDB.role);
       resp = await UpdateCommentByID(data.incident_id, data.comment_id, data.comment, data.state, data.commented_at);
     } else if (action == "testTrigger") {
+      AdminEditorCan(userDB.role);
       const trigger = await GetTriggerByID(data.trigger_id);
       const siteData = await GetAllSiteData();
       if (!trigger || !siteData) {
@@ -364,6 +366,7 @@ export async function POST({ request, cookies }) {
         throw new Error("Unsupported trigger type for testing");
       }
     } else if (action == "testMonitor") {
+      AdminEditorCan(userDB.role);
       let monitorID = data.monitor_id;
       let monitors = await GetMonitorsParsed({ id: monitorID });
       let monitor = monitors[0];