sessions: unset disabled/deleted user from session (#47818)

tests/test_form_pages.py

@@ -1244,6 +1244,23 @@ def test_form_submit_with_user(pub, emails):
     assert emails.emails.get('New form (test)')['email_rcpt'] == ['foo@localhost']
 
 
+def test_form_submit_with_just_disabled_user(pub, emails):
+    user = create_user(pub)
+    formdef = create_formdef()
+    app = login(get_app(pub), username='foo', password='foo')
+    formdef.data_class().wipe()
+    resp = app.get('/test/')
+    resp = resp.form.submit('submit')
+    assert 'Check values then click submit.' in resp
+    user.is_active = False
+    user.store()
+    resp = resp.form.submit('submit')
+    resp = resp.follow()
+    assert 'The form has been recorded' in resp
+    assert formdef.data_class().count() == 1
+    assert formdef.data_class().select()[0].user_id is None
+
+
 def test_form_titles(pub):
     formdef = create_formdef()
     formdef.fields = [

wcs/forms/root.py

@@ -1277,8 +1277,7 @@ class FormPage(Directory, FormTemplateMixin):
 
         filled.data = self.formdef.get_data(form)
         session = get_session()
-        if session and session.user and not str(session.user).startswith('anonymous-'):
-            filled.user_id = get_request().user.id
+        filled.user = get_request().user
 
         if get_request().get_path().startswith('/backoffice/'):
             filled.user_id = None

wcs/qommon/sessions.py

@@ -222,12 +222,17 @@ class Session(QommonSession, CaptchaSession, StorableObject):
                     return None
             if user.is_active:
                 return user
+            else:
+                self.set_user(None)
+
         return None
 
     def set_user(self, user_id):
         self.id = None # force a new session id to be assigned
         self.extra_user_variables = None
         QuixoteSession.set_user(self, user_id)
+        if user_id is None:
+            return
         if str(user_id).startswith('anonymous-'):
             # do not store connection time for anonymous users
             return