From 29c3da5d0e0c8ff29965b01736b2bade51bde74b Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Wed, 22 Oct 2025 11:31:17 +0100
Subject: [PATCH] Don't allow creating personal sessions for deactivated users

---
 crates/handlers/src/admin/v1/personal_sessions/add.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crates/handlers/src/admin/v1/personal_sessions/add.rs b/crates/handlers/src/admin/v1/personal_sessions/add.rs
index 5a7bb5a0e..cc86807e9 100644
--- a/crates/handlers/src/admin/v1/personal_sessions/add.rs
+++ b/crates/handlers/src/admin/v1/personal_sessions/add.rs
@@ -32,6 +32,9 @@ pub enum RouteError {
     #[error("User not found")]
     UserNotFound,
 
+    #[error("User is not active")]
+    UserDeactivated,
+
     #[error("Invalid scope")]
     InvalidScope,
 }
@@ -46,6 +49,7 @@ impl IntoResponse for RouteError {
         let status = match self {
             Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
             Self::UserNotFound => StatusCode::NOT_FOUND,
+            Self::UserDeactivated => StatusCode::GONE,
             Self::InvalidScope => StatusCode::BAD_REQUEST,
         };
         (status, sentry_event_id, Json(error)).into_response()
@@ -114,6 +118,10 @@ pub async fn handler(
         .await?
         .ok_or(RouteError::UserNotFound)?;
 
+    if actor_user.deactivated_at.is_some() {
+        return Err(RouteError::UserDeactivated);
+    }
+
     let scope: Scope = params.scope.parse().map_err(|_| RouteError::InvalidScope)?;
 
     // Create the personal session