From 22157c7fa30d7a7779c536929d91affd864044e3 Mon Sep 17 00:00:00 2001
From: Ilya Prokopenko <dsrev@protonmail.com>
Date: Thu, 27 Jan 2022 14:01:27 +0300
Subject: [PATCH] [SECURITY] Deny login to a deleted account

---
 Web/Presenters/AuthPresenter.php   | 7 +++++--
 Web/Presenters/OpenVKPresenter.php | 7 +++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Web/Presenters/AuthPresenter.php b/Web/Presenters/AuthPresenter.php
index 0d43315b..9123f12a 100644
--- a/Web/Presenters/AuthPresenter.php
+++ b/Web/Presenters/AuthPresenter.php
@@ -126,6 +126,10 @@ final class AuthPresenter extends OpenVKPresenter
             if(!$this->authenticator->verifyCredentials($user->id, $this->postParam("password")))
                 $this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));
 
+            $ovkUser = new User($user->related("profiles.user")->fetch());
+            if($ovkUser->isDeleted())
+                $this->flashFail("err", tr("login_failed"), tr("invalid_username_or_password"));
+
             $secret = $user->related("profiles.user")->fetch()["2fa_secret"];
             $code   = $this->postParam("code");
             if(!is_null($secret)) {
@@ -136,7 +140,6 @@ final class AuthPresenter extends OpenVKPresenter
                 if(is_null($code))
                     return;
 
-                $ovkUser = new User($user->related("profiles.user")->fetch());
                 if(!($code === (new Totp)->GenerateToken(Base32::decode($secret)) || $ovkUser->use2faBackupCode((int) $code))) {
                     $this->flash("err", tr("login_failed"), tr("incorrect_2fa_code"));
                     return;
@@ -229,7 +232,7 @@ final class AuthPresenter extends OpenVKPresenter
             }
             
             $user = $this->users->getByChandlerUser(new ChandlerUser($uRow));
-            if(!$user)
+            if(!$user || $user->isDeleted())
                 $this->flashFail("err", tr("error"), tr("password_reset_error"));
             
             $request = $this->restores->getLatestByUser($user);
diff --git a/Web/Presenters/OpenVKPresenter.php b/Web/Presenters/OpenVKPresenter.php
index c232cd91..1aee16d2 100755
--- a/Web/Presenters/OpenVKPresenter.php
+++ b/Web/Presenters/OpenVKPresenter.php
@@ -210,6 +210,13 @@ abstract class OpenVKPresenter extends SimplePresenter
             $this->user->id              = $this->user->identity->getId();
             $this->template->thisUser    = $this->user->identity;
             $this->template->userTainted = $user->isTainted();
+
+            if($this->user->identity->isDeleted()) {
+                Authenticator::i()->logout();
+                Session::i()->set("_su", NULL);
+                $this->flashFail("err", tr("error"), tr("profile_not_found"));
+                $this->redirect("/", static::REDIRECT_TEMPORARY);
+            }
             
             if($this->user->identity->isBanned() && !$this->banTolerant) {
                 header("HTTP/1.1 403 Forbidden");