Don't allow creating personal sessions for deactivated users

Author: reivilibre

crates/handlers/src/admin/v1/personal_sessions/add.rs

@@ -32,6 +32,9 @@ pub enum RouteError {
     #[error("User not found")]
     UserNotFound,
 
+    #[error("User is not active")]
+    UserDeactivated,
+
     #[error("Invalid scope")]
     InvalidScope,
 }
@@ -46,6 +49,7 @@ impl IntoResponse for RouteError {
         let status = match self {
             Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
             Self::UserNotFound => StatusCode::NOT_FOUND,
+            Self::UserDeactivated => StatusCode::GONE,
             Self::InvalidScope => StatusCode::BAD_REQUEST,
         };
         (status, sentry_event_id, Json(error)).into_response()
@@ -114,6 +118,10 @@ pub async fn handler(
         .await?
         .ok_or(RouteError::UserNotFound)?;
 
+    if actor_user.deactivated_at.is_some() {
+        return Err(RouteError::UserDeactivated);
+    }
+
     let scope: Scope = params.scope.parse().map_err(|_| RouteError::InvalidScope)?;
 
     // Create the personal session