From 6f6204a849b52510c42e16c22b29f7f4c993ac0c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 13:02:21 -0500
Subject: [PATCH] Return 404 for suspended pass-protected colls

Previously, any password-protected collection on a suspended account
would prompt visitors for a password, and *then* take them to the "not
found" page. This fixes that.
---
 collections.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/collections.go b/collections.go
index b85f0a4..66ad7a0 100644
--- a/collections.go
+++ b/collections.go
@@ -648,6 +648,16 @@ func processCollectionPermissions(app *App, cr *collectionReq, u *User, w http.R
 				uname = u.Username
 			}
 
+			// TODO: move this to all permission checks?
+			suspended, err := app.db.IsUserSuspended(c.OwnerID)
+			if err != nil {
+				log.Error("process protected collection permissions: %v", err)
+				return nil, err
+			}
+			if suspended {
+				return nil, ErrCollectionNotFound
+			}
+
 			// See if we've authorized this collection
 			authd := isAuthorizedForCollection(app, c.Alias, r)