From 4d1beef728130005627d8177ecc387392c930d01 Mon Sep 17 00:00:00 2001
From: Jacob Shandling <61553566+jacobshandling@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:45:40 -0700
Subject: [PATCH] Check for "No access" for authenticated routes (#11307)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Addresses #11188

When an _already authenticated_ no-access user tries to access any
authenticated routes:
- Log the user out
- Display the 403 'Forbidden' error page

https://www.loom.com/share/358fd5b534984ab9ab40220986a7d094
The user _can_ still log in – see attached issue.

## Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`
- [x] Manual QA for all new/changed functionality

---------

Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
---
 changes/11188-no-access-user                          |  1 +
 .../AuthenticatedRoutes/AuthenticatedRoutes.tsx       | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 changes/11188-no-access-user

diff --git a/changes/11188-no-access-user b/changes/11188-no-access-user
new file mode 100644
index 0000000000..3190443324
--- /dev/null
+++ b/changes/11188-no-access-user
@@ -0,0 +1 @@
+* Present the 403 error page when a user with no access logs in.
diff --git a/frontend/router/components/AuthenticatedRoutes/AuthenticatedRoutes.tsx b/frontend/router/components/AuthenticatedRoutes/AuthenticatedRoutes.tsx
index effdd71c84..647e8191be 100644
--- a/frontend/router/components/AuthenticatedRoutes/AuthenticatedRoutes.tsx
+++ b/frontend/router/components/AuthenticatedRoutes/AuthenticatedRoutes.tsx
@@ -5,7 +5,9 @@ import paths from "router/paths";
 import { AppContext } from "context/app";
 import { RoutingContext } from "context/routing";
 import useDeepEffect from "hooks/useDeepEffect";
-import { authToken } from "utilities/local";
+import local, { authToken } from "utilities/local";
+import { useErrorHandler } from "react-error-boundary";
+import permissions from "utilities/permissions";
 
 interface IAppProps {
   children: JSX.Element;
@@ -24,6 +26,8 @@ export const AuthenticatedRoutes = ({
   const { setRedirectLocation } = useContext(RoutingContext);
   const { currentUser, config, isSandboxMode } = useContext(AppContext);
 
+  const handlePageError = useErrorHandler();
+
   const redirectToLogin = () => {
     const { LOGIN } = paths;
 
@@ -89,6 +93,11 @@ export const AuthenticatedRoutes = ({
     if (currentUser?.api_only) {
       return redirectToApiUserOnly();
     }
+
+    if (currentUser && permissions.isNoAccess(currentUser)) {
+      local.removeItem("auth_token");
+      return handlePageError({ status: 403 });
+    }
   }, [currentUser]);
 
   useDeepEffect(() => {