From e4703225543af6e5eab13160214120b2907a0c85 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 21 Apr 2020 22:26:50 +0200
Subject: [PATCH 1/3] backends: prevent authentication by deleted user

---
 src/authentic2/backends/__init__.py       | 2 ++
 src/authentic2/backends/models_backend.py | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git src/authentic2/backends/__init__.py src/authentic2/backends/__init__.py
index 43f4c267..ad3b5217 100644
--- src/authentic2/backends/__init__.py
+++ src/authentic2/backends/__init__.py
@@ -23,6 +23,8 @@ def get_user_queryset():
 
     qs = User.objects.all()
 
+    qs = qs.filter(deleted__isnull=True)
+
     if app_settings.A2_USER_FILTER:
         qs = qs.filter(**app_settings.A2_USER_FILTER)
 
diff --git src/authentic2/backends/models_backend.py src/authentic2/backends/models_backend.py
index de816885..aeeb58e6 100644
--- src/authentic2/backends/models_backend.py
+++ src/authentic2/backends/models_backend.py
@@ -87,9 +87,12 @@ class ModelBackend(ModelBackend):
     def get_user(self, user_id):
         UserModel = get_user_model()
         try:
-            return UserModel._default_manager.get(pk=user_id)
+            user = UserModel._default_manager.get(pk=user_id)
         except UserModel.DoesNotExist:
             return None
+        if user.deleted:
+            return None
+        return user
 
     def get_saml2_authn_context(self):
         import lasso
-- 
2.26.0