Merge branch '20890-soft-delete-user-api-status-code' into 'master'

Adds different status code when user deletion fails Closes #20890 See merge request gitlab-org/gitlab!21037

Merge branch '20890-soft-delete-user-api-status-code' into 'master'
Adds different status code when user deletion fails Closes #20890 See merge request gitlab-org/gitlab!21037
e596e2da · Dmitriy Zaporozhets · 3f578b7c · cdc79bc4 · e596e2da · e596e2da
Commit e596e2da authored Dec 11, 2019 by Dmitriy Zaporozhets
4 changed files
--- a/changelogs/unreleased/20890-soft-delete-user-api-status-code.yml
+++ b/changelogs/unreleased/20890-soft-delete-user-api-status-code.yml
+---
+title: Adds 409 when user cannot be soft deleted through the API
+merge_request: 21037
+author:
+type: fixed
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -430,7 +430,7 @@ e.g. when renaming the email address to some existing one.
 ## User deletion

 Deletes a user. Available only for administrators.
-This returns a `204 No Content` status code if the operation was successfully or `404` if the resource was not found.
+This returns a `204 No Content` status code if the operation was successfully, `404` if the resource was not found or `409` if the user cannot be soft deleted.

 ```
 DELETE /users/:id

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -452,6 +452,7 @@ module API

        user = User.find_by(id: params[:id])
        not_found!('User') unless user
+        conflict!('User cannot be removed while is the sole-owner of a group') unless user.can_be_removed? || params[:hard_delete]

        destroy_conditionally!(user) do
          user.delete_async(deleted_by: current_user, params: params)

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -1261,6 +1261,25 @@ describe API::Users do
      expect { Namespace.find(namespace.id) }.to raise_error ActiveRecord::RecordNotFound
    end

+    context "sole owner of a group" do
+      let!(:group) { create(:group).tap { |group| group.add_owner(user) } }
+
+      context "hard delete disabled" do
+        it "does not delete user" do
+          perform_enqueued_jobs { delete api("/users/#{user.id}", admin)}
+          expect(response).to have_gitlab_http_status(409)
+        end
+      end
+
+      context "hard delete enabled" do
+        it "delete user and group", :sidekiq_might_not_need_inline do
+          perform_enqueued_jobs { delete api("/users/#{user.id}?hard_delete=true", admin)}
+          expect(response).to have_gitlab_http_status(204)
+          expect(Group.exists?(group.id)).to be_falsy
+        end
+      end
+    end
+
    it_behaves_like '412 response' do
      let(:request) { api("/users/#{user.id}", admin) }
    end