From 4bd193cdfec58bf2818d8d1f58328cc5c7f8eded Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Mon, 13 Oct 2025 14:19:14 +0200
Subject: [PATCH] Merge commit from fork

* Streaming: Ensure disabled users cannot connect to streaming

* Streaming: Disconnect when the user is disabled

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
---
 app/models/user.rb       |  4 ++++
 spec/models/user_spec.rb | 11 +++++++----
 streaming/index.js       |  2 +-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 94d748453..08e3bf7ea 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -180,6 +180,10 @@ class User < ApplicationRecord
 
   def disable!
     update!(disabled: true)
+
+    # This terminates all connections for the given account with the streaming
+    # server:
+    redis.publish("timeline:system:#{account.id}", Oj.dump(event: :kill))
   end
 
   def enable!
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 6c557f8c9..57e4f7f9e 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -448,12 +448,15 @@ RSpec.describe User do
 
     let(:current_sign_in_at) { Time.zone.now }
 
-    before do
-      user.disable!
-    end
-
     it 'disables user' do
+      allow(redis).to receive(:publish)
+
+      user.disable!
+
       expect(user).to have_attributes(disabled: true)
+
+      expect(redis)
+        .to have_received(:publish).with("timeline:system:#{user.account.id}", Oj.dump(event: :kill)).once
     end
   end
 
diff --git a/streaming/index.js b/streaming/index.js
index e599b1904..3fc5b3613 100644
--- a/streaming/index.js
+++ b/streaming/index.js
@@ -459,7 +459,7 @@ const startServer = async () => {
         return;
       }
 
-      client.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes, devices.device_id FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id LEFT OUTER JOIN devices ON oauth_access_tokens.id = devices.access_token_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL LIMIT 1', [token], (err, result) => {
+      client.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes, devices.device_id FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id LEFT OUTER JOIN devices ON oauth_access_tokens.id = devices.access_token_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE LIMIT 1', [token], (err, result) => {
         done();
 
         if (err) {