Commit 6e7db8e2 authored by Gabriel Mazetto's avatar Gabriel Mazetto

Prevent ldap_blocked users from being blocked/unblocked by the API

parent ba9855d4
...@@ -558,7 +558,8 @@ Parameters: ...@@ -558,7 +558,8 @@ Parameters:
- `uid` (required) - id of specified user - `uid` (required) - id of specified user
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found. Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
## Unblock user ## Unblock user
...@@ -572,4 +573,5 @@ Parameters: ...@@ -572,4 +573,5 @@ Parameters:
- `uid` (required) - id of specified user - `uid` (required) - id of specified user
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found. Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
`403 Forbidden` when trying to unblock a user blocked by LDAP synchronization.
...@@ -284,10 +284,12 @@ module API ...@@ -284,10 +284,12 @@ module API
authenticated_as_admin! authenticated_as_admin!
user = User.find_by(id: params[:id]) user = User.find_by(id: params[:id])
if user if !user
not_found!('User')
elsif !user.ldap_blocked?
user.block user.block
else else
not_found!('User') forbidden!('LDAP blocked users cannot be modified by the API')
end end
end end
...@@ -299,10 +301,12 @@ module API ...@@ -299,10 +301,12 @@ module API
authenticated_as_admin! authenticated_as_admin!
user = User.find_by(id: params[:id]) user = User.find_by(id: params[:id])
if user if !user
not_found!('User')
elsif !user.ldap_blocked?
user.activate user.activate
else else
not_found!('User') forbidden!('LDAP blocked users cannot be unblocked by the API')
end end
end end
end end
......
...@@ -8,6 +8,8 @@ describe API::API, api: true do ...@@ -8,6 +8,8 @@ describe API::API, api: true do
let(:key) { create(:key, user: user) } let(:key) { create(:key, user: user) }
let(:email) { create(:email, user: user) } let(:email) { create(:email, user: user) }
let(:omniauth_user) { create(:omniauth_user) } let(:omniauth_user) { create(:omniauth_user) }
let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
describe "GET /users" do describe "GET /users" do
context "when unauthenticated" do context "when unauthenticated" do
...@@ -783,6 +785,12 @@ describe API::API, api: true do ...@@ -783,6 +785,12 @@ describe API::API, api: true do
expect(user.reload.state).to eq('blocked') expect(user.reload.state).to eq('blocked')
end end
it 'should not re-block ldap blocked users' do
put api("/users/#{ldap_blocked_user.id}/block", admin)
expect(response.status).to eq(403)
expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
end
it 'should not be available for non admin users' do it 'should not be available for non admin users' do
put api("/users/#{user.id}/block", user) put api("/users/#{user.id}/block", user)
expect(response.status).to eq(403) expect(response.status).to eq(403)
...@@ -797,7 +805,9 @@ describe API::API, api: true do ...@@ -797,7 +805,9 @@ describe API::API, api: true do
end end
describe 'PUT /user/:id/unblock' do describe 'PUT /user/:id/unblock' do
let(:blocked_user) { create(:user, state: 'blocked') }
before { admin } before { admin }
it 'should unblock existing user' do it 'should unblock existing user' do
put api("/users/#{user.id}/unblock", admin) put api("/users/#{user.id}/unblock", admin)
expect(response.status).to eq(200) expect(response.status).to eq(200)
...@@ -805,12 +815,15 @@ describe API::API, api: true do ...@@ -805,12 +815,15 @@ describe API::API, api: true do
end end
it 'should unblock a blocked user' do it 'should unblock a blocked user' do
put api("/users/#{user.id}/block", admin) put api("/users/#{blocked_user.id}/unblock", admin)
expect(response.status).to eq(200)
expect(user.reload.state).to eq('blocked')
put api("/users/#{user.id}/unblock", admin)
expect(response.status).to eq(200) expect(response.status).to eq(200)
expect(user.reload.state).to eq('active') expect(blocked_user.reload.state).to eq('active')
end
it 'should not unblock ldap blocked users' do
put api("/users/#{ldap_blocked_user.id}/unblock", admin)
expect(response.status).to eq(403)
expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
end end
it 'should not be available for non admin users' do it 'should not be available for non admin users' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment