mozilla · RafaelJohn9 · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025
diff --git a/pontoon/base/middleware.py b/pontoon/base/middleware.py
@@ -6,6 +6,8 @@
 from raygun4py.middleware.django import Provider
 
 from django.conf import settings
+from django.contrib.auth.middleware import get_user
+from django.contrib.auth.models import User
 from django.core.cache import cache
 from django.core.exceptions import PermissionDenied
 from django.http import Http404, HttpResponseForbidden
@@ -149,3 +151,42 @@ def __call__(self, request):
             cache.set(observed_key, (1, now), self.observation_period)
 
         return response
+
+
+class AccountDisabledMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # Manually fetch user from the session
+        request.user = get_user(request)
+        user = request.user
+
+        # If user is authenticated, check if they are inactive
+        if user.is_authenticated:
+            if not user.is_active:
+                return render(
+                    request,
+                    "account_disabled.html",
+                    {"DEFAULT_FROM_EMAIL": settings.DEFAULT_FROM_EMAIL},
+                    status=403,
+                )
+        else:
+            # For non-authenticated users, check the session manually
+            user_id = request.session.get("_auth_user_id")
+            if user_id:
+                try:
+                    user = User.objects.get(pk=user_id)
+                    if not user.is_active:
+                        return render(
+                            request,
+                            "account_disabled.html",
+                            {"DEFAULT_FROM_EMAIL": settings.DEFAULT_FROM_EMAIL},
+                            status=403,
+                        )
+                except User.DoesNotExist:
+                    pass  # If the user ID is invalid, ignore it
+
+        # Continue processing the request
+        response = self.get_response(request)
+        return response
diff --git a/pontoon/base/templates/account_disabled.html b/pontoon/base/templates/account_disabled.html
@@ -0,0 +1,6 @@
+{% extends "404.html" %}
+
+{% block title %}Account Disabled{% endblock %}
+{% block description %}
+Your account has been disabled. If you believe this is a mistake or need further assistance, please contact us at {{ DEFAULT_FROM_EMAIL }}.
+{% endblock %}
diff --git a/pontoon/base/tests/test_middleware.py b/pontoon/base/tests/test_middleware.py
@@ -67,3 +67,20 @@ def test_throttle(client, settings):
     # Make another request after block duration
     response = client.get(url, REMOTE_ADDR=ip_address)
     assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_AccountDisabledMiddleware(client, member, settings):
+    member.user.is_active = False
+    member.user.save()
+
+    response = member.client.get("/")
+    assert response.status_code == 403
+    assert "account_disabled.html" in [t.name for t in response.templates]
+
+    # Ensure the user is authenticated and active
+    member.user.is_active = True
+    member.user.save()
+
+    response = member.client.get("/")
+    assert response.status_code == 200
diff --git a/pontoon/settings/base.py b/pontoon/settings/base.py
@@ -328,6 +328,7 @@ def _default_from_email():
     "corsheaders.middleware.CorsMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
+    "pontoon.base.middleware.AccountDisabledMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "pontoon.base.middleware.ThrottleIpMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
@@ -753,7 +754,10 @@ def _default_from_email():
 # cache.
 if os.environ.get("MEMCACHE_SERVERS") is not None:
     CACHES = {
-        "default": {"BACKEND": "django_bmemcached.memcached.BMemcached", "OPTIONS": {}}
+        "default": {
+            "BACKEND": "django_bmemcached.memcached.BMemcached",
+            "OPTIONS": {},
+        }
     }
 else:
     CACHES = {
@@ -1168,7 +1172,10 @@ def account_username(user):
 )
 # Used for Community Builder badge
 BADGES_PROMOTION_THRESHOLDS = list(
-    map(int, os.environ.get("BADGES_PROMOTION_THRESHOLDS", "1, 2, 5").split(","))
+    map(
+        int,
+        os.environ.get("BADGES_PROMOTION_THRESHOLDS", "1, 2, 5").split(","),
+    )
 )
 
 DEFAULT_AUTO_FIELD = "django.db.models.AutoField"

diff --git a/pontoon/urls.py b/pontoon/urls.py
@@ -17,6 +17,7 @@ class LocaleConverter(StringConverter):
 page_not_found_view = TemplateView.as_view(template_name="404.html")
 too_many_requests_view = TemplateView.as_view(template_name="429.html")
 server_error_view = TemplateView.as_view(template_name="500.html")
+account_disabled_view = TemplateView.as_view(template_name="account_disabled.html")
 
 urlpatterns = [
     # Accounts
@@ -34,6 +35,7 @@ class LocaleConverter(StringConverter):
     path("404/", page_not_found_view),
     path("429/", too_many_requests_view),
     path("500/", server_error_view),
+    path("account_disabled/", account_disabled_view),
     # Robots.txt
     path(
         "robots.txt",