From 801608e077c1bd33319b6973a274d8d1d7b4a85e Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Thu, 5 Mar 2020 12:22:50 +0200
Subject: [PATCH] Fixed permission to only fetch for active users (#11641)

no-issue

Essentially only active users should have their permissions loaded, this
means that suspended or inactive users are stripped of all permissions
until their status is changed.
---
 core/server/services/permissions/providers.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/server/services/permissions/providers.js b/core/server/services/permissions/providers.js
index bede6238ee..04a33a81a4 100644
--- a/core/server/services/permissions/providers.js
+++ b/core/server/services/permissions/providers.js
@@ -5,7 +5,7 @@ var _ = require('lodash'),
 
 module.exports = {
     user: function (id) {
-        return models.User.findOne({id: id, status: 'all'}, {withRelated: ['permissions', 'roles', 'roles.permissions']})
+        return models.User.findOne({id: id, status: 'active'}, {withRelated: ['permissions', 'roles', 'roles.permissions']})
             .then(function (foundUser) {
                 // CASE: {context: {user: id}} where the id is not in our database
                 if (!foundUser) {