Prevent ldap_blocked users from being blocked/unblocked by the API

6e7db8e2 · Gabriel Mazetto · ba9855d4 · 6e7db8e2 · 6e7db8e2 · 6e7db8e2
Commit 6e7db8e2 authored 9 years ago by Gabriel Mazetto
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -558,7 +558,8 @@ Parameters:
  
 - `uid` (required) - id of specified user
  
-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or 
+`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
  
 ## Unblock user
  
@@ -572,4 +573,5 @@ Parameters:
  
 - `uid` (required) - id of specified user
  
-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
+`403 Forbidden` when trying to unblock a user blocked by LDAP synchronization.
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -284,10 +284,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])
  
-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.block
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be modified by the API')
        end
      end
  
@@ -299,10 +301,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])
  
-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.activate
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be unblocked by the API')
        end
      end
    end

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -8,6 +8,8 @@ describe API::API, api: true  do
  let(:key)   { create(:key, user: user) }
  let(:email)   { create(:email, user: user) }
  let(:omniauth_user) { create(:omniauth_user) }
+  let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
+  let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
  
  describe "GET /users" do
    context "when unauthenticated" do
@@ -783,6 +785,12 @@ describe API::API, api: true  do
      expect(user.reload.state).to eq('blocked')
    end
  
+    it 'should not re-block ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/block", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
+    end
+
    it 'should not be available for non admin users' do
      put api("/users/#{user.id}/block", user)
      expect(response.status).to eq(403)
@@ -797,7 +805,9 @@ describe API::API, api: true  do
  end
  
  describe 'PUT /user/:id/unblock' do
+    let(:blocked_user)  { create(:user, state: 'blocked') }
    before { admin }
+
    it 'should unblock existing user' do
      put api("/users/#{user.id}/unblock", admin)
      expect(response.status).to eq(200)
@@ -805,12 +815,15 @@ describe API::API, api: true  do
    end
  
    it 'should unblock a blocked user' do
-      put api("/users/#{user.id}/block", admin)
-      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('blocked')
-      put api("/users/#{user.id}/unblock", admin)
+      put api("/users/#{blocked_user.id}/unblock", admin)
      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('active')
+      expect(blocked_user.reload.state).to eq('active')
+    end
+
+    it 'should not unblock ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/unblock", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
    end
  
    it 'should not be available for non admin users' do