From 2a28c4d55b896337f742f3644268f218110dde8d Mon Sep 17 00:00:00 2001
From: Davor <davor.ivankovic2@gmail.com>
Date: Mon, 30 May 2022 12:25:42 +0200
Subject: [PATCH] reject consent request

when the user doesn't have permissions for app reject
---
 web/login/login.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/web/login/login.py b/web/login/login.py
index 14341f6d..34a9bfce 100644
--- a/web/login/login.py
+++ b/web/login/login.py
@@ -262,14 +262,19 @@ def consent():
             .filter(AppRole.user_id == user.uuid)
             .first()
         )
-        print(role_object)
         if role_object is None or role_object.role_id is None:
             # If there is no role in app_roles or the role_id for an app is null user has no permissions
-            # TODO: how to handle if the user has no access for an app?
             current_app.logger.error(f"User has no access for: {app_obj.name}")
-        app_role = RoleService.get_role_by_id(role_object.role_id)
-        if (app_role is not None):
-            roles.append(app_role.name)
+            return redirect(
+                consent_request.reject(
+                    error="No access",
+                    error_description="The user has no access for app",
+                    error_hint="Contact your administrator",
+                    status_code=401,
+                )
+            )
+        else:
+            roles.append(role_object.role.name)
 
     current_app.logger.info(f"Using '{roles}' when applying consent for {kratos_id}")
 
-- 
GitLab