Commit 3440efae authored by Alex Pooley's avatar Alex Pooley

Merge branch 'prevent-api-initiating-user-blocking' into 'master'

Prevent user blocking themselves through API

See merge request gitlab-org/gitlab!80224
parents dd45cf5d 71678a24
......@@ -702,6 +702,8 @@ module API
if user.ldap_blocked?
forbidden!('LDAP blocked users cannot be modified by the API')
elsif current_user == user
forbidden!('The API initiating user cannot be blocked by the API')
end
break if user.blocked?
......
......@@ -3117,6 +3117,18 @@ RSpec.describe API::Users do
expect(response.body).to eq('null')
end
end
context 'with the API initiating user' do
let(:user_id) { admin.id }
it 'does not block the API initiating user, returns 403' do
block_user
expect(response).to have_gitlab_http_status(:forbidden)
expect(json_response['message']).to eq('403 Forbidden - The API initiating user cannot be blocked by the API')
expect(admin.reload.state).to eq('active')
end
end
end
it 'is not available for non admin users' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment