Add logic to core View class, to force logout if user becomes inactive

Also, expose "active sticky" field for user views

tailbone/auth.py

@@ -1,4 +1,4 @@
-# -*- coding: utf-8 -*-
+# -*- coding: utf-8; -*-
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
@@ -34,7 +34,7 @@ from rattail.util import prettify, NOTSET
 
 from zope.interface import implementer
 from pyramid.interfaces import IAuthorizationPolicy
-from pyramid.security import remember, Everyone, Authenticated
+from pyramid.security import remember, forget, Everyone, Authenticated
 
 from tailbone.db import Session
 
@@ -55,6 +55,17 @@ def login_user(request, user, timeout=NOTSET):
     return headers
 
 
+def logout_user(request):
+    """
+    Perform the logout action for the given request.  Note that this returns a
+    ``headers`` dict which you should pass to the redirect.
+    """
+    request.session.delete()
+    request.session.invalidate()
+    headers = forget(request)
+    return headers
+
+
 def session_timeout_for_user(user):
     """
     Returns the "max" session timeout for the user, according to roles

tailbone/views/auth.py

@@ -1,8 +1,8 @@
-# -*- coding: utf-8 -*-
+# -*- coding: utf-8; -*-
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
-#  Copyright © 2010-2016 Lance Edgar
+#  Copyright © 2010-2017 Lance Edgar
 #
 #  This file is part of Rattail.
 #
@@ -30,14 +30,13 @@ from rattail.db.auth import authenticate_user, set_user_password
 
 import formencode as fe
 from pyramid.httpexceptions import HTTPForbidden
-from pyramid.security import remember, forget
 from pyramid_simpleform import Form
 from webhelpers.html import tags, literal
 
 from tailbone import forms
 from tailbone.db import Session
 from tailbone.views import View
-from tailbone.auth import login_user
+from tailbone.auth import login_user, logout_user
 
 
 class UserLogin(fe.Schema):
@@ -137,9 +136,7 @@ class AuthenticationView(View):
         This deletes/invalidates the current session and then redirects to the
         login page.
         """
-        self.request.session.delete()
+        headers = logout_user(self.request)
-        self.request.session.invalidate()
-        headers = forget(self.request)
         if self.rattail_config.getbool('tailbone', 'home_after_logout', default=False):
             return self.redirect(self.request.route_url('home'), headers=headers)
         login = 'mobile.login' if mobile else 'login'

tailbone/views/core.py

@@ -35,6 +35,7 @@ from pyramid.renderers import render_to_response
 from pyramid.response import FileResponse
 
 from tailbone.db import Session
+from tailbone.auth import logout_user
 
 
 class View(object):
@@ -44,6 +45,9 @@ class View(object):
 
     def __init__(self, request):
         self.request = request
+        if request.user and not request.user.active:
+            headers = logout_user(request)
+            raise self.redirect(request.route_url('home'))
         config = self.rattail_config
         if config:
             self.enum = config.get_enum()

tailbone/views/users.py

@@ -187,6 +187,7 @@ class UsersView(PrincipalMasterView):
                 fs.username,
                 fs.person,
                 fs.active,
+                fs.active_sticky,
                 fs.password,
                 fs.confirm_password,
                 fs.roles,