Ignore blocking already blocked user

This maintains the idempotent nature of this API and consistent with
other state change method (e.g. `deactivated`).

doc/administration/audit_events.md

@@ -107,6 +107,7 @@ recorded:
 - User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was added ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
+- User was blocked via API ([introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25872) in GitLab 12.9)
 
 It's possible to filter particular actions by choosing an audit data type from
 the filter dropdown box. You can further filter by specific group, project, or user

doc/api/users.md

@@ -1168,8 +1168,11 @@ Parameters:
 
 - `id` (required) - id of specified user
 
-Will return `201 OK` on success, `404 User Not Found` is user cannot be found or
-`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
+Returns:
+
+- `201 OK` on success.
+- `404 User Not Found` if user cannot be found.
+- `403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
 
 ## Unblock user
 

ee/changelogs/unreleased/audit-block-user-via-api.yml

+---
+title: Audit user blocked via API
+merge_request: 25872
+author:
+type: added

ee/spec/requests/api/users_spec.rb

@@ -57,6 +57,16 @@ describe API::Users do
         expect(AuditEvent.count).to eq(1)
       end
     end
+
+    describe 'POST /users/:id/block' do
+      it 'creates audit event when blocking user' do
+        stub_licensed_features(extended_audit_events: true)
+
+        expect do
+          post api("/users/#{user.id}/block", admin)
+        end.to change { AuditEvent.count }.by(1)
+      end
+    end
   end
 
   context 'shared_runners_minutes_limit' do

lib/api/users.rb

@@ -528,11 +528,18 @@ module API
         user = User.find_by(id: params[:id])
         not_found!('User') unless user
 
-        if !user.ldap_blocked?
-          user.block
-        else
+        if user.ldap_blocked?
           forbidden!('LDAP blocked users cannot be modified by the API')
         end
+
+        break if user.blocked?
+
+        result = ::Users::BlockService.new(current_user).execute(user)
+        if result[:status] == :success
+          true
+        else
+          render_api_error!(result[:message], result[:http_status])
+        end
       end
       # rubocop: enable CodeReuse/ActiveRecord
 

spec/requests/api/users_spec.rb

@@ -2165,14 +2165,20 @@ describe API::Users, :do_not_mock_admin_mode do
   end
 
   describe 'POST /users/:id/block' do
+    let(:blocked_user) { create(:user, state: 'blocked') }
+
     before do
       admin
     end
 
     it 'blocks existing user' do
       post api("/users/#{user.id}/block", admin)
-      expect(response).to have_gitlab_http_status(:created)
-      expect(user.reload.state).to eq('blocked')
+
+      aggregate_failures do
+        expect(response).to have_gitlab_http_status(:created)
+        expect(response.body).to eq('true')
+        expect(user.reload.state).to eq('blocked')
+      end
     end
 
     it 'does not re-block ldap blocked users' do
@@ -2192,6 +2198,15 @@ describe API::Users, :do_not_mock_admin_mode do
       expect(response).to have_gitlab_http_status(:not_found)
       expect(json_response['message']).to eq('404 User Not Found')
     end
+
+    it 'returns a 201 if user is already blocked' do
+      post api("/users/#{blocked_user.id}/block", admin)
+
+      aggregate_failures do
+        expect(response).to have_gitlab_http_status(:created)
+        expect(response.body).to eq('null')
+      end
+    end
   end
 
   describe 'POST /users/:id/unblock' do