Commit b9f91f04 authored by Diego Louzán's avatar Diego Louzán Committed by Mayra Cabrera

fix: avoid setting user profile to public when updating via API

If a user is updated via a PUT API request and no value is
provided for the `private_profile` field, ignore it and do not set it to
the default value of public
parent bf0b267a
---
title: Fix inconditionally setting user profile to public when updating via
API and private_profile parameter is not present in the request
merge_request: 24456
author: Diego Louzán
type: fixed
...@@ -385,7 +385,7 @@ Parameters: ...@@ -385,7 +385,7 @@ Parameters:
- `skip_confirmation` (optional) - Skip confirmation - true or false (default) - `skip_confirmation` (optional) - Skip confirmation - true or false (default)
- `external` (optional) - Flags the user as external - true or false (default) - `external` (optional) - Flags the user as external - true or false (default)
- `avatar` (optional) - Image file for user's avatar - `avatar` (optional) - Image file for user's avatar
- `private_profile` (optional) - User's profile is private - true or false (default) - `private_profile` (optional) - User's profile is private - true, false (default), or null (will be converted to false)
- `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user **(STARTER)** - `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user **(STARTER)**
- `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user **(STARTER)** - `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user **(STARTER)**
...@@ -423,7 +423,7 @@ Parameters: ...@@ -423,7 +423,7 @@ Parameters:
- `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user - `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user
- `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user - `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user
- `avatar` (optional) - Image file for user's avatar - `avatar` (optional) - Image file for user's avatar
- `private_profile` (optional) - User's profile is private - true or false (default) - `private_profile` (optional) - User's profile is private - true, false (default), or null (will be converted to false)
- `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user **(STARTER)** - `shared_runners_minutes_limit` (optional) - Pipeline minutes quota for this user **(STARTER)**
- `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user **(STARTER)** - `extra_shared_runners_minutes_limit` (optional) - Extra pipeline minutes quota for this user **(STARTER)**
- `note` (optional) - Admin notes for this user **(STARTER)** - `note` (optional) - Admin notes for this user **(STARTER)**
......
...@@ -52,7 +52,7 @@ module API ...@@ -52,7 +52,7 @@ module API
optional :external, type: Boolean, desc: 'Flag indicating the user is an external user' optional :external, type: Boolean, desc: 'Flag indicating the user is an external user'
# TODO: remove rubocop disable - https://gitlab.com/gitlab-org/gitlab/issues/14960 # TODO: remove rubocop disable - https://gitlab.com/gitlab-org/gitlab/issues/14960
optional :avatar, type: File, desc: 'Avatar image for user' # rubocop:disable Scalability/FileUploads optional :avatar, type: File, desc: 'Avatar image for user' # rubocop:disable Scalability/FileUploads
optional :private_profile, type: Boolean, default: false, desc: 'Flag indicating the user has a private profile' optional :private_profile, type: Boolean, desc: 'Flag indicating the user has a private profile'
all_or_none_of :extern_uid, :provider all_or_none_of :extern_uid, :provider
use :optional_params_ee use :optional_params_ee
......
...@@ -778,6 +778,12 @@ describe API::Users do ...@@ -778,6 +778,12 @@ describe API::Users do
expect(user.reload.external?).to be_truthy expect(user.reload.external?).to be_truthy
end end
it "private profile is false by default" do
put api("/users/#{user.id}", admin), params: {}
expect(user.reload.private_profile).to eq(false)
end
it "updates private profile" do it "updates private profile" do
put api("/users/#{user.id}", admin), params: { private_profile: true } put api("/users/#{user.id}", admin), params: { private_profile: true }
...@@ -785,14 +791,24 @@ describe API::Users do ...@@ -785,14 +791,24 @@ describe API::Users do
expect(user.reload.private_profile).to eq(true) expect(user.reload.private_profile).to eq(true)
end end
it "updates private profile when nil is given to false" do it "updates private profile to false when nil is given" do
admin.update(private_profile: true) user.update(private_profile: true)
put api("/users/#{user.id}", admin), params: { private_profile: nil } put api("/users/#{user.id}", admin), params: { private_profile: nil }
expect(response).to have_gitlab_http_status(200)
expect(user.reload.private_profile).to eq(false) expect(user.reload.private_profile).to eq(false)
end end
it "does not modify private profile when field is not provided" do
user.update(private_profile: true)
put api("/users/#{user.id}", admin), params: {}
expect(response).to have_gitlab_http_status(200)
expect(user.reload.private_profile).to eq(true)
end
it "does not update admin status" do it "does not update admin status" do
put api("/users/#{admin_user.id}", admin), params: { can_create_group: false } put api("/users/#{admin_user.id}", admin), params: { can_create_group: false }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment