From f6480d805b57d79a581f5c555e95d1a665084894 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Wed, 15 Jun 2022 14:18:09 +0200
Subject: [PATCH] deny app access if role_id is 3 (no access)

---
 web/login/login.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/login/login.py b/web/login/login.py
index 34a9bfc..ef54a18 100644
--- a/web/login/login.py
+++ b/web/login/login.py
@@ -262,7 +262,8 @@ def consent():
             .filter(AppRole.user_id == user.uuid)
             .first()
         )
-        if role_object is None or role_object.role_id is None:
+        # Role ID 3 is always "No access" due to migration b514cca2d47b
+        if role_object is None or role_object.role_id is None or role_object.role_id == 3:
             # If there is no role in app_roles or the role_id for an app is null user has no permissions
             current_app.logger.error(f"User has no access for: {app_obj.name}")
             return redirect(