http: session/login reject disabled users; mid-session disable kicks immediately

internal/server/http/rbac_test.go

@@ -1,10 +1,13 @@
 package http
 
 import (
+	"bytes"
+	"encoding/json"
 	stdhttp "net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"
 
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
 )
@@ -95,6 +98,50 @@ func TestRequireRoleUnauthenticated401OnAPI(t *testing.T) {
 	}
 }
 
+func TestRequireRoleRejectsDisabledMidSession(t *testing.T) {
+	t.Parallel()
+	srv, urlBase := newTestServer(t, false)
+	uid := makeUser(t, srv, "victim", store.RoleOperator)
+	cookie := loginAs(t, srv, uid)
+
+	// Disable the user *while their session is still valid*.
+	if err := srv.deps.Store.DisableUser(t.Context(), uid, time.Now().UTC()); err != nil {
+		t.Fatalf("disable: %v", err)
+	}
+
+	req, _ := stdhttp.NewRequest("GET", urlBase+"/api/hosts", nil)
+	req.AddCookie(cookie)
+	res, err := stdhttp.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusUnauthorized {
+		t.Errorf("status: got %d want 401", res.StatusCode)
+	}
+}
+
+func TestLoginRejectsDisabledUser(t *testing.T) {
+	t.Parallel()
+	srv, urlBase := newTestServer(t, false)
+	uid := makeUser(t, srv, "disabled1", store.RoleOperator)
+	if err := srv.deps.Store.DisableUser(t.Context(), uid, time.Now().UTC()); err != nil {
+		t.Fatalf("disable: %v", err)
+	}
+
+	body, _ := json.Marshal(map[string]string{
+		"username": "disabled1", "password": "test-password",
+	})
+	res, err := stdhttp.Post(urlBase+"/api/auth/login", "application/json", bytes.NewReader(body))
+	if err != nil {
+		t.Fatalf("POST: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusUnauthorized {
+		t.Errorf("status: got %d want 401", res.StatusCode)
+	}
+}
+
 func TestAdminBandRejectsOperator(t *testing.T) {
 	t.Parallel()
 	// This test will start asserting 403 once Task B4 mounts /api/users