Commit 50a04bdc authored by Stan Hu's avatar Stan Hu

Merge branch 'api-user-blocking' into 'master'

Allow user to be blocked and activated via the API

When authenticating against LDAP if a user has been disabled in LDAP they can no longer log on to the website or commit over http(s) but will be able to commit using any ssh keys.  This functionality allows us to look for users in GitLab that no longer exist in LDAP and disable then in GitLab.

Closes Feedback item: [Add administrative API call to block users](http://feedback.gitlab.com/forums/176466-general/suggestions/4098632-add-administrative-api-call-to-block-users)

See merge request !587
parents 49749169 b3a75111
......@@ -35,6 +35,7 @@ v 7.13.0 (unreleased)
- Faster automerge check and merge itself when source and target branches are in same repository
- Correctly show anonymous authorized applications under Profile > Applications.
- Query Optimization in MySQL.
- Allow users to be blocked and unblocked via the API
v 7.12.1
- Fix error when deleting a user who has projects (Stan Hu)
......
......@@ -396,3 +396,31 @@ Parameters:
- `id` (required) - SSH key ID
Will return `200 OK` on success, or `404 Not found` if either user or key cannot be found.
## Block user
Blocks the specified user. Available only for admin.
```
PUT /users/:uid/block
```
Parameters:
- `uid` (required) - id of specified user
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
## Unblock user
Unblocks the specified user. Available only for admin.
```
PUT /users/:uid/unblock
```
Parameters:
- `uid` (required) - id of specified user
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
......@@ -199,6 +199,36 @@ module API
not_found!('User')
end
end
# Block user. Available only for admin
#
# Example Request:
# PUT /users/:id/block
put ':id/block' do
authenticated_as_admin!
user = User.find_by(id: params[:id])
if user
user.block
else
not_found!('User')
end
end
# Unblock user. Available only for admin
#
# Example Request:
# PUT /users/:id/unblock
put ':id/unblock' do
authenticated_as_admin!
user = User.find_by(id: params[:id])
if user
user.activate
else
not_found!('User')
end
end
end
resource :user do
......
......@@ -527,4 +527,55 @@ describe API::API, api: true do
expect(response.status).to eq(401)
end
end
describe 'PUT /user/:id/block' do
before { admin }
it 'should block existing user' do
put api("/users/#{user.id}/block", admin)
expect(response.status).to eq(200)
expect(user.reload.state).to eq('blocked')
end
it 'should not be available for non admin users' do
put api("/users/#{user.id}/block", user)
expect(response.status).to eq(403)
expect(user.reload.state).to eq('active')
end
it 'should return a 404 error if user id not found' do
put api('/users/9999/block', admin)
expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 User Not Found')
end
end
describe 'PUT /user/:id/unblock' do
before { admin }
it 'should unblock existing user' do
put api("/users/#{user.id}/unblock", admin)
expect(response.status).to eq(200)
expect(user.reload.state).to eq('active')
end
it 'should unblock a blocked user' do
put api("/users/#{user.id}/block", admin)
expect(response.status).to eq(200)
expect(user.reload.state).to eq('blocked')
put api("/users/#{user.id}/unblock", admin)
expect(response.status).to eq(200)
expect(user.reload.state).to eq('active')
end
it 'should not be available for non admin users' do
put api("/users/#{user.id}/unblock", user)
expect(response.status).to eq(403)
expect(user.reload.state).to eq('active')
end
it 'should return a 404 error if user id not found' do
put api('/users/9999/block', admin)
expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 User Not Found')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment