Login with google allows user to login first time even though the "New user accounts can be used right away" tab is disabled!

advancedhealthsys · June 8, 2020, 10:27pm

Hi,

I am not sure if it is a bug or my limited experience. When I implement user service as following:

And run the app., then click sign in with Google, it allows me to access the first page right away! even though the enable box is set to False, and when I try to login again using sign in with google it says “This account has not been enabled by an administrator”. My understanding is that I shouldn’t be able to access the first page from the begining until my account is enabled by the admin.

Here is my app:

https://anvil.works/build#clone:4I2NDZDZYR5JY662=XMYQ5EBTDHIUHCSYUKFTJYHE

Please help in resolving this issue.

Thank you,

advancedhealthsys · June 10, 2020, 7:17pm

Any clue about how to fix this issue?

Tony.Nguyen · June 11, 2020, 1:09am

Hi @advancedhealthsys, thanks for pointing it out a very interesting matter. Without seeing your code, it’s kind hard to say what actually happen. But I guess below are yours

def __init__(self, **properties):
    # Set Form properties and Data Bindings.
    self.init_components(**properties)
    anvil.users.login_with_google()

It is true that the form is displayed, however it you add the following code, you will find that the user doesn’t actually login yet since there is an error

#dev only, not for production
user = anvil.users.get_user() 
self.label_1.text = user['enabled']

TypeError: 'NoneType' does not support indexing
at Form1, line 17

The form is displayed because it is not protected. Please see the following topic for more information how to fix it

stucork · June 11, 2020, 1:59am

This seems like a bug to me.

I can confirm the unusual behaviour

this only happens on the first sign in with a google account
When clicking sign up with gmail the user can access the site even though their account is not enabled.
The next time they sign in with google they get the error message that says the account has not yet been enabled.

Tony.Nguyen · June 11, 2020, 2:34am

I suspect a bug as well, but it might be intended for showing any message like “Your account will be enabled soon”. There are several other possibilities such as, the main form being used as some kind of homepage and exception should be handled properly.

The intended use just unknown

advancedhealthsys · June 11, 2020, 5:04pm

I agree with @stucork, I know that I can bypass this issue by creating another enable column, and then check if it was enabled or not before directing users to the main page, however, I preferred that the issue get fixed to save time when using user service.

bridget · June 26, 2020, 8:22am

Hi @advancedhealthsys,

Thanks for letting us know - this is a UI bug, but it isn’t a security bug. Moving to Bug Reports.

As @Tony.Nguyen points out, this isn’t logging the user in - it’s just returning the newly-created user object. anvil.users.get_user() will still return None.

It’s also good practice to ensure that you have appropriate security measures in place in your Server Modules, as client-side code can’t be trusted. For example, customising your @anvil.server.callable decorators to require user authentication, to make sure server functions can only be executed by a logged-in user.

Rather than creating another enabled column, you can just check for anvil.users.get_user() in the __init__ method of your Startup Form:

anvil.users.login_with_form()
    
if not anvil.users.get_user():
  anvil.users.login_with_form()

Tony.Nguyen · June 26, 2020, 9:43am

Hi @bridget, on the one hand it is the UI bug, on the other, I find it a way to customize signing in with a Google account. When fixing the bug, it would be great that you could make a way to customize the process.

Thanks so much