Merge branch '29505-allow-admins-sudo-to-blocked-users' into 'master'

Allow admins to sudo to blocked users See merge request !10842

Merge branch '29505-allow-admins-sudo-to-blocked-users' into 'master'
Allow admins to sudo to blocked users See merge request !10842
86038fa5 · Rémy Coutable · 025b04f3 · 4dfdef2d · 86038fa5 · 86038fa5
Commit 86038fa5 authored Apr 27, 2017 by Rémy Coutable
3 changed files
--- a/changelogs/unreleased/29505-allow-admins-sudo-to-blocked-users.yml
+++ b/changelogs/unreleased/29505-allow-admins-sudo-to-blocked-users.yml
+---
+title: Allow admins to sudo to blocked users via the API
+merge_request: 10842
+author:
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -102,7 +102,7 @@ module API
    end

    def authenticate!
-      unauthorized! unless current_user && can?(current_user, :access_api)
+      unauthorized! unless current_user && can?(initial_current_user, :access_api)
    end

    def authenticate_non_get!

--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -427,6 +427,7 @@ describe API::Helpers do
    context 'current_user is nil' do
      before do
        expect_any_instance_of(self.class).to receive(:current_user).and_return(nil)
+        allow_any_instance_of(self.class).to receive(:initial_current_user).and_return(nil)
      end

      it 'returns a 401 response' do
@@ -435,13 +436,38 @@ describe API::Helpers do
    end

    context 'current_user is present' do
+      let(:user) { build(:user) }
+
      before do
-        expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(User.new)
+        expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(user)
+        expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(user)
      end

      it 'does not raise an error' do
        expect { authenticate! }.not_to raise_error
      end
    end
+
+    context 'current_user is blocked' do
+      let(:user) { build(:user, :blocked) }
+
+      before do
+        expect_any_instance_of(self.class).to receive(:current_user).at_least(:once).and_return(user)
+      end
+
+      it 'raises an error' do
+        expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(user)
+
+        expect { authenticate! }.to raise_error '401 - {"message"=>"401 Unauthorized"}'
+      end
+
+      it "doesn't raise an error if an admin user is impersonating a blocked user (via sudo)" do
+        admin_user = build(:user, :admin)
+
+        expect_any_instance_of(self.class).to receive(:initial_current_user).and_return(admin_user)
+
+        expect { authenticate! }.not_to raise_error
+      end
+    end
  end
 end