Block user if they're not active #1066

app/Http/Middleware/ApiAuth.php

@@ -6,6 +6,7 @@
 namespace App\Http\Middleware;
 
 use App\Contracts\Middleware;
+use App\Models\Enums\UserState;
 use App\Models\User;
 use Closure;
 use Illuminate\Http\Request;
@@ -38,6 +39,10 @@ class ApiAuth implements Middleware
             return $this->unauthorized('User not found with key "'.$api_key.'"');
         }
 
+        if ($user->state !== UserState::ACTIVE && $user->state !== UserState::ON_LEAVE) {
+            return $this->unauthorized('User is not ACTIVE, please contact an administrator');
+        }
+
         // Set the user to the request
         Auth::setUser($user);
         $request->merge(['user' => $user]);