rusackas opened a new pull request, #40675: URL: https://github.com/apache/superset/pull/40675
> **Draft / `hold:testing`** — runs on the authenticated request path. Needs end-to-end validation before merge (see "Why draft"). ### SUMMARY Flask-Login only consults `is_active` when **establishing** a login; for an already-authenticated user it does **not** re-check it on subsequent requests. So a user an admin **deactivates** keeps their session until it expires (FINDING-018 / ASVS 7.4.2, CWE-613). This adds a `before_request` hook that re-checks `current_user.is_active` and logs the user out as soon as their account is deactivated. The request then continues as anonymous, and the normal access controls deny protected views. Deleted users are already handled (the user loader returns `None`). **No migration** — `auth`/`login`/`logout`/`static`/`health` endpoints are exempt to avoid loops. This implements the immediate **disable/delete** case from the SIP ([#40674](https://github.com/apache/superset/pull/40674), Part A2). The broader "invalidation epoch" (revoke sessions *without* deactivating the account) remains a future enhancement described in that SIP. ### WHY DRAFT (`hold:testing`) Adds a check on every authenticated request. Needs validation that: a disabled logged-in user is denied on their next request; normal active users and the login/logout/OAuth flows are unaffected; and the exemption list matches real endpoint names (no loop). ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/security/test_session_validation.py ``` Unit test covers the endpoint-exemption logic. **Before merge:** disable a logged-in user and confirm their next request is denied; confirm active users and login/logout are unaffected. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
