Merge branch 'tle-audit-block-user-via-api' into 'master'

Audit blocking user via API See merge request gitlab-org/gitlab!25872

Merge branch 'tle-audit-block-user-via-api' into 'master'
Audit blocking user via API See merge request gitlab-org/gitlab!25872
92f45fc5 · Imre Farkas · 3d09882d · 33040676 · 92f45fc5 · 92f45fc5
Commit 92f45fc5 authored Mar 04, 2020 by Imre Farkas
6 changed files
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -107,6 +107,7 @@ recorded:
 - User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was added ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
+- User was blocked via API ([introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25872) in GitLab 12.9)

 It's possible to filter particular actions by choosing an audit data type from
 the filter dropdown box. You can further filter by specific group, project, or user

--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -1168,8 +1168,11 @@ Parameters:

 - `id` (required) - id of specified user

-Will return `201 OK` on success, `404 User Not Found` is user cannot be found or
-`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
+Returns:
+
+- `201 OK` on success.
+- `404 User Not Found` if user cannot be found.
+- `403 Forbidden` when trying to block an already blocked user by LDAP synchronization.

 ## Unblock user


--- a/ee/changelogs/unreleased/audit-block-user-via-api.yml
+++ b/ee/changelogs/unreleased/audit-block-user-via-api.yml
+---
+title: Audit user blocked via API
+merge_request: 25872
+author:
+type: added
--- a/ee/spec/requests/api/users_spec.rb
+++ b/ee/spec/requests/api/users_spec.rb
@@ -57,6 +57,16 @@ describe API::Users do
        expect(AuditEvent.count).to eq(1)
      end
    end
+
+    describe 'POST /users/:id/block' do
+      it 'creates audit event when blocking user' do
+        stub_licensed_features(extended_audit_events: true)
+
+        expect do
+          post api("/users/#{user.id}/block", admin)
+        end.to change { AuditEvent.count }.by(1)
+      end
+    end
  end

  context 'shared_runners_minutes_limit' do

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -528,11 +528,18 @@ module API
        user = User.find_by(id: params[:id])
        not_found!('User') unless user

-        if !user.ldap_blocked?
-          user.block
-        else
+        if user.ldap_blocked?
          forbidden!('LDAP blocked users cannot be modified by the API')
        end
+
+        break if user.blocked?
+
+        result = ::Users::BlockService.new(current_user).execute(user)
+        if result[:status] == :success
+          true
+        else
+          render_api_error!(result[:message], result[:http_status])
+        end
      end
      # rubocop: enable CodeReuse/ActiveRecord


--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -2165,14 +2165,20 @@ describe API::Users, :do_not_mock_admin_mode do
  end

  describe 'POST /users/:id/block' do
+    let(:blocked_user) { create(:user, state: 'blocked') }
+
    before do
      admin
    end

    it 'blocks existing user' do
      post api("/users/#{user.id}/block", admin)
-      expect(response).to have_gitlab_http_status(:created)
-      expect(user.reload.state).to eq('blocked')
+
+      aggregate_failures do
+        expect(response).to have_gitlab_http_status(:created)
+        expect(response.body).to eq('true')
+        expect(user.reload.state).to eq('blocked')
+      end
    end

    it 'does not re-block ldap blocked users' do
@@ -2192,6 +2198,15 @@ describe API::Users, :do_not_mock_admin_mode do
      expect(response).to have_gitlab_http_status(:not_found)
      expect(json_response['message']).to eq('404 User Not Found')
    end
+
+    it 'returns a 201 if user is already blocked' do
+      post api("/users/#{blocked_user.id}/block", admin)
+
+      aggregate_failures do
+        expect(response).to have_gitlab_http_status(:created)
+        expect(response.body).to eq('null')
+      end
+    end
  end

  describe 'POST /users/:id/unblock' do