Restrict login for blocked user

I’m trying to restrict login for a user who’s status is “Cancelled”. I’ve tried reading other forum discussions, but I can’t get this to work.

I created a custom state for the page called “isCancelled” yes/no.

I’ve set up this workflow:

The first step I’m hoping would set the custom state to Yes when searching for the user’s email and find the user status is Cancelled.

It then displays an error text and terminates the flow.

However, I can’t get this to work. It doesn’t seem to be doing the search and just logs in the user. Note, I’m still on a free plan and testing this functionality.

Why are you making it so complicated by involving states?

Just apply the condition on “Log the user in” step. Make it, Only when: Current user’s User Role is not Cancelled (to prevent the login). <<If this doesn’t work, only then should you attempt searching (getting current user is way faster than searching)

Once you’ve prevented the login, you can then show the user whatever you want later on

I’ve tried both options, and it still allows through a login…

image

I think that referencing the current user in the login condition wouldn’t work since the user attempting to login isn’t the current user until after being logged in.

Review the debugger for your workflow that uses search in the login condition. I would expect that to work.

Alternatively, follow the login action immediately with a logout action that has the necessary condition.

I don’t think ‘current user’ would work. And custom state may not be needed.

Your method of searching user with email and checking user role of first item should work.

If this one is not working, I would check what is the search returning. Is search having right criteria? Are any privacy rules preventing you from getting data?

I suspect my privacy settings are too restrictive. Should I modify this?

Your privacy rules don’t allow access to the User Role field, so it’s not possible to access that value in the expression: Search for Users: first item’s User Role is Not Cancelled.

(it will never be cancelled, as no value is ever returned).

So instead, add User Role is cancelled as a constraint on the Search, then check that the count of returned items is less than 1.

1 Like

Yes, either you modify this or make change in your query as @adamhholmes suggested.

Sorry, can you clarify the setup? Am I using this action?

As a bonus this is also more WU-efficient.

But I don’t like having everyone be able to search the users.

Here is an alternative using 2 workflows that’s actually more secure IMO:

Workflow 1: When user is logged in → Log the user out (1 action)

Condition: User’s role is Cancelled

Workflow 2: When page is loaded → Go to page (1 action)

Condition 2: User’s role is Cancelled

Both of these workflows operate serverside.

You should also have role-based conditions on EVERY workflow (backend included).

1 Like

This solution worked. Here is my setup:

1 Like

Just FYI, anyone can publicly find out how many users your app has, how many admins, how many cancelled users, etc. using this method. You may not find this to be problematic, but a heads-up to those who want to use this method.