Commit 71678a24 authored by Ela Doğruyol's avatar Ela Doğruyol Committed by Alex Pooley

Prevent user blocking themselves through API

parent daae13af
...@@ -702,6 +702,8 @@ module API ...@@ -702,6 +702,8 @@ module API
if user.ldap_blocked? if user.ldap_blocked?
forbidden!('LDAP blocked users cannot be modified by the API') forbidden!('LDAP blocked users cannot be modified by the API')
elsif current_user == user
forbidden!('The API initiating user cannot be blocked by the API')
end end
break if user.blocked? break if user.blocked?
......
...@@ -3116,6 +3116,18 @@ RSpec.describe API::Users do ...@@ -3116,6 +3116,18 @@ RSpec.describe API::Users do
expect(response.body).to eq('null') expect(response.body).to eq('null')
end end
end end
context 'with the API initiating user' do
let(:user_id) { admin.id }
it 'does not block the API initiating user, returns 403' do
block_user
expect(response).to have_gitlab_http_status(:forbidden)
expect(json_response['message']).to eq('403 Forbidden - The API initiating user cannot be blocked by the API')
expect(admin.reload.state).to eq('active')
end
end
end end
it 'is not available for non admin users' do it 'is not available for non admin users' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment