Fix deleted-user access hole: fail-closed UI and backend tombstone guard

Author: wilhel1812

functions/_lib/db.ts

@@ -134,6 +134,13 @@ const ensureSchema = async (env: Env): Promise<void> => {
             updated_at TEXT
           )`,
         ),
+        env.DB.prepare(
+          `CREATE TABLE IF NOT EXISTS deleted_users (
+            id TEXT PRIMARY KEY,
+            deleted_at TEXT NOT NULL,
+            deleted_by_user_id TEXT
+          )`,
+        ),
         env.DB.prepare(
           `CREATE TABLE IF NOT EXISTS sites (
             id TEXT PRIMARY KEY,
@@ -369,6 +376,10 @@ export const ensureUser = async (
   tokenPayload?: Record<string, unknown>,
 ): Promise<void> => {
   await ensureSchema(env);
+  const deleted = await env.DB.prepare("SELECT id FROM deleted_users WHERE id = ? LIMIT 1").bind(userId).first<{ id: string }>();
+  if (deleted?.id) {
+    throw new Error("Account removed by admin");
+  }
   const now = new Date().toISOString();
   const username = deriveDefaultName(userId, tokenPayload);
   const email = deriveDefaultEmail(userId, tokenPayload);
@@ -539,9 +550,19 @@ export const setUserApproval = async (
   return profile;
 };
 
-export const deleteUser = async (env: Env, userId: string): Promise<void> => {
+export const deleteUser = async (env: Env, userId: string, actorUserId?: string): Promise<void> => {
   await ensureSchema(env);
-  await env.DB.prepare("DELETE FROM users WHERE id = ?").bind(userId).run();
+  const now = new Date().toISOString();
+  await env.DB.batch([
+    env.DB
+      .prepare(
+        `INSERT INTO deleted_users (id, deleted_at, deleted_by_user_id)
+         VALUES (?, ?, ?)
+         ON CONFLICT(id) DO UPDATE SET deleted_at = excluded.deleted_at, deleted_by_user_id = excluded.deleted_by_user_id`,
+      )
+      .bind(userId, now, actorUserId ?? null),
+    env.DB.prepare("DELETE FROM users WHERE id = ?").bind(userId),
+  ]);
 };
 
 export const listPendingApprovalUsers = async (

functions/api/changes.ts

@@ -26,7 +26,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     return withCors(request, json({ changes }));
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };

functions/api/library.ts

@@ -23,7 +23,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     );
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };
@@ -53,7 +53,10 @@ export const onRequestPut: PagesFunction<Env> = async ({ request, env }) => {
     );
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 400;
+    const status =
+      message.includes("pending approval") || message.includes("removed by admin")
+        ? 403
+        : 400;
     return withCors(request, json({ error: message }, { status }));
   }
 };

functions/api/me.ts

@@ -24,7 +24,12 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     );
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    return withCors(request, json({ error: message }, { status: 401 }));
+    const status = message.includes("removed by admin")
+      ? 403
+      : message.includes("pending approval")
+        ? 403
+        : 401;
+    return withCors(request, json({ error: message }, { status }));
   }
 };
 
@@ -46,7 +51,12 @@ export const onRequestPatch: PagesFunction<Env> = async ({ request, env }) => {
     return withCors(request, json({ user }));
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("required") || message.includes("valid") ? 400 : 500;
+    const status =
+      message.includes("removed by admin") || message.includes("pending approval")
+        ? 403
+        : message.includes("required") || message.includes("valid")
+          ? 400
+          : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };

functions/api/notifications.ts

@@ -42,7 +42,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     );
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };

functions/api/users.ts

@@ -20,7 +20,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     return withCors(request, json({ users }));
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };

functions/api/users/[id].ts

@@ -51,7 +51,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env, params })
     return withCors(request, json({ user }));
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };
@@ -118,7 +118,7 @@ export const onRequestPatch: PagesFunction<Env> = async ({ request, env, params
     const status =
       message.includes("required") || message.includes("valid")
         ? 400
-        : message.includes("pending approval")
+        : message.includes("pending approval") || message.includes("removed by admin")
           ? 403
           : 500;
     return withCors(request, json({ error: message }, { status }));
@@ -142,11 +142,11 @@ export const onRequestDelete: PagesFunction<Env> = async ({ request, env, params
       return withCors(request, json({ error: "Admin cannot delete own account." }, { status: 400 }));
     }
 
-    await deleteUser(env, targetId);
+    await deleteUser(env, targetId, auth.userId);
     return withCors(request, json({ ok: true }));
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
-    const status = message.includes("pending approval") ? 403 : 500;
+    const status = message.includes("pending approval") || message.includes("removed by admin") ? 403 : 500;
     return withCors(request, json({ error: message }, { status }));
   }
 };

src/components/AppShell.tsx

@@ -12,7 +12,7 @@ export function AppShell() {
     (state) => state.recommendAndFetchTerrainForCurrentArea,
   );
   const [isMapExpanded, setIsMapExpanded] = useState(false);
-  const [accessState, setAccessState] = useState<"checking" | "granted" | "pending">("checking");
+  const [accessState, setAccessState] = useState<"checking" | "granted" | "pending" | "locked">("checking");
 
   useEffect(() => {
     if (srtmTilesCount > 0) return;
@@ -25,11 +25,21 @@ export function AppShell() {
         const me = await fetchMe();
         setAccessState(me.isAdmin || me.isApproved ? "granted" : "pending");
       } catch {
-        setAccessState("granted");
+        setAccessState("locked");
       }
     })();
   }, []);
 
+  if (accessState === "checking") {
+    return (
+      <main className="app-shell access-locked-shell">
+        <section className="panel-section access-locked-panel">
+          <h2>Checking access…</h2>
+        </section>
+      </main>
+    );
+  }
+
   if (accessState === "pending") {
     return (
       <main className="app-shell access-locked-shell">
@@ -51,6 +61,27 @@ export function AppShell() {
     );
   }
 
+  if (accessState === "locked") {
+    return (
+      <main className="app-shell access-locked-shell">
+        <section className="panel-section access-locked-panel">
+          <h2>Access unavailable</h2>
+          <p className="field-help">
+            Your account session is valid, but this account is not available in LinkSim right now.
+          </p>
+          <p className="field-help">
+            If your user was removed by an admin, ask for re-approval. Then sign out and sign in again.
+          </p>
+          <div className="chip-group">
+            <button className="inline-action" onClick={() => (window.location.href = "/cdn-cgi/access/logout")} type="button">
+              Sign Out
+            </button>
+          </div>
+        </section>
+      </main>
+    );
+  }
+
   return (
     <main className={`app-shell ${isMapExpanded ? "is-map-expanded" : ""}`}>
       {!isMapExpanded ? <Sidebar /> : null}