Prevent ldap_blocked users from being blocked/unblocked by the API
This commit is contained in:
parent
ba9855d487
commit
6e7db8e23e
|
@ -558,7 +558,8 @@ Parameters:
|
|||
|
||||
- `uid` (required) - id of specified user
|
||||
|
||||
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
|
||||
Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
|
||||
`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.
|
||||
|
||||
## Unblock user
|
||||
|
||||
|
@ -572,4 +573,5 @@ Parameters:
|
|||
|
||||
- `uid` (required) - id of specified user
|
||||
|
||||
Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
|
||||
Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
|
||||
`403 Forbidden` when trying to unblock a user blocked by LDAP synchronization.
|
||||
|
|
|
@ -284,10 +284,12 @@ module API
|
|||
authenticated_as_admin!
|
||||
user = User.find_by(id: params[:id])
|
||||
|
||||
if user
|
||||
if !user
|
||||
not_found!('User')
|
||||
elsif !user.ldap_blocked?
|
||||
user.block
|
||||
else
|
||||
not_found!('User')
|
||||
forbidden!('LDAP blocked users cannot be modified by the API')
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -299,10 +301,12 @@ module API
|
|||
authenticated_as_admin!
|
||||
user = User.find_by(id: params[:id])
|
||||
|
||||
if user
|
||||
if !user
|
||||
not_found!('User')
|
||||
elsif !user.ldap_blocked?
|
||||
user.activate
|
||||
else
|
||||
not_found!('User')
|
||||
forbidden!('LDAP blocked users cannot be unblocked by the API')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,6 +8,8 @@ describe API::API, api: true do
|
|||
let(:key) { create(:key, user: user) }
|
||||
let(:email) { create(:email, user: user) }
|
||||
let(:omniauth_user) { create(:omniauth_user) }
|
||||
let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
|
||||
let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
|
||||
|
||||
describe "GET /users" do
|
||||
context "when unauthenticated" do
|
||||
|
@ -783,6 +785,12 @@ describe API::API, api: true do
|
|||
expect(user.reload.state).to eq('blocked')
|
||||
end
|
||||
|
||||
it 'should not re-block ldap blocked users' do
|
||||
put api("/users/#{ldap_blocked_user.id}/block", admin)
|
||||
expect(response.status).to eq(403)
|
||||
expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
|
||||
end
|
||||
|
||||
it 'should not be available for non admin users' do
|
||||
put api("/users/#{user.id}/block", user)
|
||||
expect(response.status).to eq(403)
|
||||
|
@ -797,7 +805,9 @@ describe API::API, api: true do
|
|||
end
|
||||
|
||||
describe 'PUT /user/:id/unblock' do
|
||||
let(:blocked_user) { create(:user, state: 'blocked') }
|
||||
before { admin }
|
||||
|
||||
it 'should unblock existing user' do
|
||||
put api("/users/#{user.id}/unblock", admin)
|
||||
expect(response.status).to eq(200)
|
||||
|
@ -805,12 +815,15 @@ describe API::API, api: true do
|
|||
end
|
||||
|
||||
it 'should unblock a blocked user' do
|
||||
put api("/users/#{user.id}/block", admin)
|
||||
put api("/users/#{blocked_user.id}/unblock", admin)
|
||||
expect(response.status).to eq(200)
|
||||
expect(user.reload.state).to eq('blocked')
|
||||
put api("/users/#{user.id}/unblock", admin)
|
||||
expect(response.status).to eq(200)
|
||||
expect(user.reload.state).to eq('active')
|
||||
expect(blocked_user.reload.state).to eq('active')
|
||||
end
|
||||
|
||||
it 'should not unblock ldap blocked users' do
|
||||
put api("/users/#{ldap_blocked_user.id}/unblock", admin)
|
||||
expect(response.status).to eq(403)
|
||||
expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
|
||||
end
|
||||
|
||||
it 'should not be available for non admin users' do
|
||||
|
|
Loading…
Reference in New Issue