From c7ab65144997c2a79594541d596bfed7485e1756 Mon Sep 17 00:00:00 2001
From: Massedil <massedil-framagit.org@msd.im>
Date: Wed, 8 Oct 2025 12:33:13 +0200
Subject: [PATCH] fix: A disabled user can't create a new profile

Fixes #1842
---
 lib/graphql/resolvers/person.ex        | 17 ++++++++++++++++-
 test/graphql/resolvers/person_test.exs | 24 ++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/lib/graphql/resolvers/person.ex b/lib/graphql/resolvers/person.ex
index 31a0f1c5a..73eeceae0 100644
--- a/lib/graphql/resolvers/person.ex
+++ b/lib/graphql/resolvers/person.ex
@@ -133,7 +133,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
   def create_person(
         _parent,
         %{preferred_username: _preferred_username} = args,
-        %{context: %{current_user: user} = context} = _resolution
+        %{context: %{current_user: %{disabled: false} = user} = context} = _resolution
       ) do
     args = Map.put(args, :user_id, user.id)
     user_agent = Map.get(context, :user_agent, "")
@@ -160,6 +160,21 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
     end
   end
 
+  @doc """
+  A logged user that is banned stays logged-in.
+  We need to block the person creation to prevent the user to create new content
+  TODO: Best should be to destroy the session but it seems hard to do with token behaviour.
+  Link: https://framagit.org/kaihuri/mobilizon/-/issues/1842
+  Link: https://framagit.org/kaihuri/mobilizon/-/issues/1842#note_2255364
+  """
+  def create_person(
+        _parent,
+        %{preferred_username: _preferred_username} = _args,
+        %{context: %{current_user: %{disabled: true} = _user} = _context} = _resolution
+      ) do
+    {:error, :user_disabled}
+  end
+
   def create_person(_parent, _args, _resolution) do
     {:error, :unauthenticated}
   end
diff --git a/test/graphql/resolvers/person_test.exs b/test/graphql/resolvers/person_test.exs
index 90d8f1d8f..df7b817bf 100644
--- a/test/graphql/resolvers/person_test.exs
+++ b/test/graphql/resolvers/person_test.exs
@@ -232,6 +232,30 @@ defmodule Mobilizon.GraphQL.Resolvers.PersonTest do
                MapSet.new([actor.preferred_username, "new_identity"])
     end
 
+    # Link: https://framagit.org/kaihuri/mobilizon/-/issues/1842
+    test "impossible to create a new identity with disabled user", %{conn: conn} do
+      user = insert(:user, disabled: true)
+
+      # Login by email/password is impossible for a disabled user
+      # But it is still possible to use a valid token obtained before the ban
+      app_token = insert(:auth_application_token, user: user)
+
+      res =
+        conn
+        |> auth_conn(app_token)
+        |> AbsintheHelpers.graphql_query(
+          query: @create_person_mutation,
+          variables: %{
+            preferredUsername: "new_identity",
+            name: "secret person",
+            summary: "no-one will know who I am"
+          }
+        )
+
+      assert res["data"]["createPerson"] == nil
+      assert hd(res["errors"])["message"] == "user_disabled"
+    end
+
     test "with an avatar and an banner creates a new identity", %{conn: conn} do
       user = insert(:user)
       insert(:actor, user: user)