Prevent ldap_blocked users from being blocked/unblocked by the API

2015-12-30 16:52:02 -02:00 · 2015-12-30 16:52:02 -02:00 · 6e7db8e23e
parent ba9855d487
commit 6e7db8e23e
3 changed files with 30 additions and 11 deletions
--- a/doc/api/users.md
+++ b/doc/api/users.md
@ -558,7 +558,8 @@ Parameters:

 - `uid` (required) - id of specified user

-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or 
+`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.

 ## Unblock user

@ -572,4 +573,5 @@ Parameters:

 - `uid` (required) - id of specified user

-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
+`403 Forbidden` when trying to unblock a user blocked by LDAP synchronization.
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@ -284,10 +284,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])

-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.block
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be modified by the API')
        end
      end

@ -299,10 +301,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])

-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.activate
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be unblocked by the API')
        end
      end
    end
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@ -8,6 +8,8 @@ describe API::API, api: true  do
  let(:key)   { create(:key, user: user) }
  let(:email)   { create(:email, user: user) }
  let(:omniauth_user) { create(:omniauth_user) }
+  let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
+  let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }

  describe "GET /users" do
    context "when unauthenticated" do
@ -783,6 +785,12 @@ describe API::API, api: true  do
      expect(user.reload.state).to eq('blocked')
    end

+    it 'should not re-block ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/block", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
+    end
+
    it 'should not be available for non admin users' do
      put api("/users/#{user.id}/block", user)
      expect(response.status).to eq(403)
@ -797,7 +805,9 @@ describe API::API, api: true  do
  end

  describe 'PUT /user/:id/unblock' do
+    let(:blocked_user)  { create(:user, state: 'blocked') }
    before { admin }
+
    it 'should unblock existing user' do
      put api("/users/#{user.id}/unblock", admin)
      expect(response.status).to eq(200)
@ -805,12 +815,15 @@ describe API::API, api: true  do
    end

    it 'should unblock a blocked user' do
-      put api("/users/#{user.id}/block", admin)
+      put api("/users/#{blocked_user.id}/unblock", admin)
      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('blocked')
-      put api("/users/#{user.id}/unblock", admin)
-      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('active')
+      expect(blocked_user.reload.state).to eq('active')
+    end
+
+    it 'should not unblock ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/unblock", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
    end

    it 'should not be available for non admin users' do