diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py index 8bb78b0830..020472eab2 100644 --- a/zerver/lib/actions.py +++ b/zerver/lib/actions.py @@ -1170,7 +1170,6 @@ def do_deactivate_user( change_user_is_active(user_profile, False) - delete_user_sessions(user_profile) clear_scheduled_emails(user_profile.id) event_time = timezone_now() @@ -1196,6 +1195,7 @@ def do_deactivate_user( if settings.BILLING_ENABLED: update_license_ledger_if_needed(user_profile.realm, event_time) + delete_user_sessions(user_profile) event = dict( type="realm_user", op="remove", diff --git a/zerver/tests/test_users.py b/zerver/tests/test_users.py index 91142006e8..18a1e30f55 100644 --- a/zerver/tests/test_users.py +++ b/zerver/tests/test_users.py @@ -6,6 +6,7 @@ from unittest import mock import orjson from django.conf import settings from django.contrib.contenttypes.models import ContentType +from django.contrib.sessions.models import Session from django.core.exceptions import ValidationError from django.test import override_settings from django.utils.timezone import now as timezone_now @@ -1393,6 +1394,24 @@ class ActivateTest(ZulipTestCase): ) self.assert_json_error(result, "Insufficient permission") + def test_clear_sessions(self) -> None: + user = self.example_user("hamlet") + self.login_user(user) + session_key = self.client.session.session_key + self.assertTrue(session_key) + + result = self.client_get("/json/users") + self.assert_json_success(result) + self.assertEqual(Session.objects.filter(pk=session_key).count(), 1) + + do_deactivate_user(user, acting_user=None) + self.assertEqual(Session.objects.filter(pk=session_key).count(), 0) + + result = self.client_get("/json/users") + self.assert_json_error( + result, "Not logged in: API authentication or user session required", 401 + ) + def test_clear_scheduled_jobs(self) -> None: user = self.example_user("hamlet") send_future_email(