Prevent user blocking themselves through API

71678a24 · Ela Doğruyol · Alex Pooley · daae13af · 71678a24 · 71678a24
Commit 71678a24 authored Mar 09, 2022 by Ela Doğruyol Committed by Alex Pooley Mar 09, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

lib/api/users.rb lib/api/users.rb +2 -0

spec/requests/api/users_spec.rb spec/requests/api/users_spec.rb +12 -0

No files found.
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -702,6 +702,8 @@ module API

        if user.ldap_blocked?
          forbidden!('LDAP blocked users cannot be modified by the API')
+        elsif current_user == user
+          forbidden!('The API initiating user cannot be blocked by the API')
        end

        break if user.blocked?

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -3116,6 +3116,18 @@ RSpec.describe API::Users do
          expect(response.body).to eq('null')
        end
      end
+
+      context 'with the API initiating user' do
+        let(:user_id) { admin.id }
+
+        it 'does not block the API initiating user, returns 403' do
+          block_user
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(json_response['message']).to eq('403 Forbidden - The API initiating user cannot be blocked by the API')
+          expect(admin.reload.state).to eq('active')
+        end
+      end
    end

    it 'is not available for non admin users' do