Relax the validity check of the token actor

Author: reivilibre

crates/data-model/src/users.rs

@@ -30,6 +30,20 @@ impl User {
     pub fn is_valid(&self) -> bool {
         self.locked_at.is_none() && self.deactivated_at.is_none()
     }
+
+    /// Returns `true` if the user is a valid actor, for example
+    /// of a personal session.
+    ///
+    /// Currently: this is `true` unless the user is deactivated.
+    ///
+    /// This is a weaker form of validity: `is_valid` always implies
+    /// `is_valid_actor`, but some users (currently: locked users)
+    /// can be valid actors for personal sessions but aren't valid
+    /// except through administrative access.
+    #[must_use]
+    pub fn is_valid_actor(&self) -> bool {
+        self.deactivated_at.is_none()
+    }
 }
 
 impl User {

crates/handlers/src/admin/call_context.rs

@@ -264,11 +264,20 @@ where
             None
         };
 
-        // If there is a user for this session, check that it is not locked
-        if let Some(user) = &user
-            && !user.is_valid()
-        {
-            return Err(Rejection::UserLocked);
+        if let CallerSession::PersonalSession(_) = &session {
+            // For personal sessions: check that the actor is valid enough
+            // to be an actor.
+            // unwrap: personal sessions always have an actor user
+            if !user.as_ref().unwrap().is_valid_actor() {
+                return Err(Rejection::UserLocked);
+            }
+        } else {
+            // If there is a user for this session, check that it is not locked
+            if let Some(user) = &user
+                && !user.is_valid()
+            {
+                return Err(Rejection::UserLocked);
+            }
         }
 
         // For now, we only check that the session has the admin scope