BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
6e7db8e2
Commit
6e7db8e2
authored
Dec 30, 2015
by
Gabriel Mazetto
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent ldap_blocked users from being blocked/unblocked by the API
parent
ba9855d4
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
30 additions
and
11 deletions
+30
-11
users.md
doc/api/users.md
+4
-2
users.rb
lib/api/users.rb
+8
-4
users_spec.rb
spec/requests/api/users_spec.rb
+18
-5
No files found.
doc/api/users.md
View file @
6e7db8e2
...
...
@@ -558,7 +558,8 @@ Parameters:
-
`uid`
(required) - id of specified user
Will return
`200 OK`
on success, or
`404 User Not Found`
is user cannot be found.
Will return
`200 OK`
on success,
`404 User Not Found`
is user cannot be found or
`403 Forbidden`
when trying to block an already blocked user by LDAP synchronization.
## Unblock user
...
...
@@ -572,4 +573,5 @@ Parameters:
-
`uid`
(required) - id of specified user
Will return
`200 OK`
on success, or
`404 User Not Found`
is user cannot be found.
Will return
`200 OK`
on success,
`404 User Not Found`
is user cannot be found or
`403 Forbidden`
when trying to unblock a user blocked by LDAP synchronization.
lib/api/users.rb
View file @
6e7db8e2
...
...
@@ -284,10 +284,12 @@ module API
authenticated_as_admin!
user
=
User
.
find_by
(
id:
params
[
:id
])
if
user
if
!
user
not_found!
(
'User'
)
elsif
!
user
.
ldap_blocked?
user
.
block
else
not_found!
(
'User
'
)
forbidden!
(
'LDAP blocked users cannot be modified by the API
'
)
end
end
...
...
@@ -299,10 +301,12 @@ module API
authenticated_as_admin!
user
=
User
.
find_by
(
id:
params
[
:id
])
if
user
if
!
user
not_found!
(
'User'
)
elsif
!
user
.
ldap_blocked?
user
.
activate
else
not_found!
(
'User
'
)
forbidden!
(
'LDAP blocked users cannot be unblocked by the API
'
)
end
end
end
...
...
spec/requests/api/users_spec.rb
View file @
6e7db8e2
...
...
@@ -8,6 +8,8 @@ describe API::API, api: true do
let
(
:key
)
{
create
(
:key
,
user:
user
)
}
let
(
:email
)
{
create
(
:email
,
user:
user
)
}
let
(
:omniauth_user
)
{
create
(
:omniauth_user
)
}
let
(
:ldap_user
)
{
create
(
:omniauth_user
,
provider:
'ldapmain'
)
}
let
(
:ldap_blocked_user
)
{
create
(
:omniauth_user
,
provider:
'ldapmain'
,
state:
'ldap_blocked'
)
}
describe
"GET /users"
do
context
"when unauthenticated"
do
...
...
@@ -783,6 +785,12 @@ describe API::API, api: true do
expect
(
user
.
reload
.
state
).
to
eq
(
'blocked'
)
end
it
'should not re-block ldap blocked users'
do
put
api
(
"/users/
#{
ldap_blocked_user
.
id
}
/block"
,
admin
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
ldap_blocked_user
.
reload
.
state
).
to
eq
(
'ldap_blocked'
)
end
it
'should not be available for non admin users'
do
put
api
(
"/users/
#{
user
.
id
}
/block"
,
user
)
expect
(
response
.
status
).
to
eq
(
403
)
...
...
@@ -797,7 +805,9 @@ describe API::API, api: true do
end
describe
'PUT /user/:id/unblock'
do
let
(
:blocked_user
)
{
create
(
:user
,
state:
'blocked'
)
}
before
{
admin
}
it
'should unblock existing user'
do
put
api
(
"/users/
#{
user
.
id
}
/unblock"
,
admin
)
expect
(
response
.
status
).
to
eq
(
200
)
...
...
@@ -805,12 +815,15 @@ describe API::API, api: true do
end
it
'should unblock a blocked user'
do
put
api
(
"/users/
#{
user
.
id
}
/block"
,
admin
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
user
.
reload
.
state
).
to
eq
(
'blocked'
)
put
api
(
"/users/
#{
user
.
id
}
/unblock"
,
admin
)
put
api
(
"/users/
#{
blocked_user
.
id
}
/unblock"
,
admin
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
user
.
reload
.
state
).
to
eq
(
'active'
)
expect
(
blocked_user
.
reload
.
state
).
to
eq
(
'active'
)
end
it
'should not unblock ldap blocked users'
do
put
api
(
"/users/
#{
ldap_blocked_user
.
id
}
/unblock"
,
admin
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
ldap_blocked_user
.
reload
.
state
).
to
eq
(
'ldap_blocked'
)
end
it
'should not be available for non admin users'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment