Skip to content

Allow admins to sudo to blocked users

What does this MR do?

  • Allows admin users to sudo to blocked users
  • This presents one way to solve #29505 (closed)

Are there points in the code the reviewer needs to double check?

  • Are there any unintended consequences of this change I didn't think of?
  • Is there a reason this limitation was deliberately introduced in the first place?

Why was this MR needed?

Admins currently cannot delete snippets for blocked users. We could solve this by modifying the snippets API to allow admin access, but it is a lot easier to change this at the sudo level.

What are the relevant issue numbers?

Notes

  • We don't need to disable updating user login metadata (current_sign_in_at, last_sign_in_at, etc.) when using sudo with a blocked user, since API calls already don't update a user's login metadata. API authentication simply sets current_user without calling out to warden.set_user or Devise's sign_in, so the hook for Trackable is not run, and the metadata is not updated.

Merge request reports

Loading