Prevent ldap_blocked users from being blocked/unblocked by the API

6e7db8e2 · Gabriel Mazetto · ba9855d4 · 6e7db8e2 · 6e7db8e2 · 6e7db8e2
Commit 6e7db8e2 authored Dec 30, 2015 by Gabriel Mazetto
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 11 deletions

doc/api/users.md doc/api/users.md +4 -2

lib/api/users.rb lib/api/users.rb +8 -4

spec/requests/api/users_spec.rb spec/requests/api/users_spec.rb +18 -5

No files found.
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -558,7 +558,8 @@ Parameters:

 - `uid` (required) - id of specified user

-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or 
+`403 Forbidden` when trying to block an already blocked user by LDAP synchronization.

 ## Unblock user

@@ -572,4 +573,5 @@ Parameters:

 - `uid` (required) - id of specified user

-Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+Will return `200 OK` on success, `404 User Not Found` is user cannot be found or
+`403 Forbidden` when trying to unblock a user blocked by LDAP synchronization.
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -284,10 +284,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])

-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.block
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be modified by the API')
        end
      end

@@ -299,10 +301,12 @@ module API
        authenticated_as_admin!
        user = User.find_by(id: params[:id])

-        if user
+        if !user
+          not_found!('User')
+        elsif !user.ldap_blocked?
          user.activate
        else
-          not_found!('User')
+          forbidden!('LDAP blocked users cannot be unblocked by the API')
        end
      end
    end

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -8,6 +8,8 @@ describe API::API, api: true  do
  let(:key)   { create(:key, user: user) }
  let(:email)   { create(:email, user: user) }
  let(:omniauth_user) { create(:omniauth_user) }
+  let(:ldap_user) { create(:omniauth_user, provider: 'ldapmain') }
+  let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }

  describe "GET /users" do
    context "when unauthenticated" do
@@ -783,6 +785,12 @@ describe API::API, api: true  do
      expect(user.reload.state).to eq('blocked')
    end

+    it 'should not re-block ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/block", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
+    end
+
    it 'should not be available for non admin users' do
      put api("/users/#{user.id}/block", user)
      expect(response.status).to eq(403)
@@ -797,7 +805,9 @@ describe API::API, api: true  do
  end

  describe 'PUT /user/:id/unblock' do
+    let(:blocked_user)  { create(:user, state: 'blocked') }
    before { admin }
+
    it 'should unblock existing user' do
      put api("/users/#{user.id}/unblock", admin)
      expect(response.status).to eq(200)
@@ -805,12 +815,15 @@ describe API::API, api: true  do
    end

    it 'should unblock a blocked user' do
-      put api("/users/#{user.id}/block", admin)
-      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('blocked')
-      put api("/users/#{user.id}/unblock", admin)
+      put api("/users/#{blocked_user.id}/unblock", admin)
      expect(response.status).to eq(200)
-      expect(user.reload.state).to eq('active')
+      expect(blocked_user.reload.state).to eq('active')
+    end
+
+    it 'should not unblock ldap blocked users' do
+      put api("/users/#{ldap_blocked_user.id}/unblock", admin)
+      expect(response.status).to eq(403)
+      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
    end

    it 'should not be available for non admin users' do