Reject API key usage by users from deactivated realms

(imported from commit f1c791943f62bdde841ebb6975daef60e5a19174)
2025-11-02 13:03:29 +00:00 · 2014-03-05 13:20:26 -05:00
parent 40164f4398
commit 9ea3198ddf
1 changed files with 6 additions and 0 deletions
--- a/zerver/decorator.py
+++ b/zerver/decorator.py
@@ -153,6 +153,12 @@ def validate_api_key(role, api_key):
        raise JsonableError(reason + " for role '%s'" % (role,))
    if not profile.is_active:
        raise JsonableError("Account not active")
+    try:
+        if profile.realm.deactivated:
+            raise JsonableError("Realm for account has been deactivated")
+    except AttributeError:
+        # Deployment objects don't have realms
+        pass
    return profile

 # Use this for webhook views that don't get an email passed in.