Merge branch 'sk/250679-fix-deactivate-user-api' into 'master'

Fix incorrect HTTP response in deactivate user API for internal user See merge request gitlab-org/gitlab!43356

Merge branch 'sk/250679-fix-deactivate-user-api' into 'master'
Fix incorrect HTTP response in deactivate user API for internal user See merge request gitlab-org/gitlab!43356
e0d54e64 · Gabriel Mazetto · a6b383f2 · c44bb420 · e0d54e64 · e0d54e64
Commit e0d54e64 authored Oct 14, 2020 by Gabriel Mazetto
10 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -72,6 +72,7 @@ class Admin::UsersController < Admin::ApplicationController
  def deactivate
    return redirect_back_or_admin_user(notice: _("Error occurred. A blocked user cannot be deactivated")) if user.blocked?
    return redirect_back_or_admin_user(notice: _("Successfully deactivated")) if user.deactivated?
+    return redirect_back_or_admin_user(notice: _("Internal users cannot be deactivated")) if user.internal?
    return redirect_back_or_admin_user(notice: _("The user you are trying to deactivate has been active in the past %{minimum_inactive_days} days and cannot be deactivated") % { minimum_inactive_days: ::User::MINIMUM_INACTIVE_DAYS }) unless user.can_be_deactivated?
    user.deactivate

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1711,7 +1711,7 @@ class User < ApplicationRecord
  end
  def can_be_deactivated?
-    active? && no_recent_activity?
+    active? && no_recent_activity? && !internal?
  end
  def last_active_at

--- a/app/views/admin/users/show.html.haml
+++ b/app/views/admin/users/show.html.haml
@@ -150,6 +150,7 @@
      = render 'admin/users/user_detail_note'
+      - unless @user.internal?
        - if @user.deactivated?
          .card.border-info
            .card-header.bg-info.text-white

--- a/changelogs/unreleased/sk-250679-fix-deactivate-user-api.yml
+++ b/changelogs/unreleased/sk-250679-fix-deactivate-user-api.yml
+---
+title: Fix incorrect HTTP response in deactivate user API for internal user
+merge_request: 43356
+author: Sashi Kumar
+type: fixed
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -1250,6 +1250,7 @@ Returns:
 - `403 Forbidden` when trying to deactivate a user:
  - Blocked by admin or by LDAP synchronization.
  - That has any activity in past 180 days. These users cannot be deactivated.
+  - That is internal.
 ## Activate user

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -547,10 +547,15 @@ module API
        unless user.can_be_deactivated?
          forbidden!('A blocked user cannot be deactivated by the API') if user.blocked?
+          forbidden!('An internal user cannot be deactivated by the API') if user.internal?
          forbidden!("The user you are trying to deactivate has been active in the past #{::User::MINIMUM_INACTIVE_DAYS} days and cannot be deactivated")
        end
-        user.deactivate
+        if user.deactivate
+          true
+        else
+          render_api_error!(user.errors.full_messages, 400)
+        end
      end
      # rubocop: enable CodeReuse/ActiveRecord

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -14096,6 +14096,9 @@ msgstr ""
 msgid "Internal users"
 msgstr ""
+msgid "Internal users cannot be deactivated"
+msgstr ""
 msgid "Interval Pattern"
 msgstr ""

--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -190,6 +190,17 @@ RSpec.describe Admin::UsersController do
        expect(flash[:notice]).to eq('Error occurred. A blocked user cannot be deactivated')
      end
    end
+    context 'for an internal user' do
+      it 'does not deactivate the user' do
+        internal_user = User.alert_bot
+        put :deactivate, params: { id: internal_user.username }
+        expect(internal_user.reload.deactivated?).to be_falsey
+        expect(flash[:notice]).to eq('Internal users cannot be deactivated')
+      end
+    end
  end
  describe 'PUT block/:id' do

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -2781,6 +2781,14 @@ RSpec.describe User do
      it_behaves_like 'eligible for deactivation'
    end
+    context 'a user who is internal' do
+      it 'returns false' do
+        internal_user = create(:user, :bot)
+        expect(internal_user.can_be_deactivated?).to be_falsey
+      end
+    end
  end
  describe "#contributed_projects" do

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -2482,6 +2482,17 @@ RSpec.describe API::Users, :do_not_mock_admin_mode do
          end
        end
+        context 'for an internal user' do
+          it 'returns 403' do
+            internal_user = User.alert_bot
+            post api("/users/#{internal_user.id}/deactivate", admin)
+            expect(response).to have_gitlab_http_status(:forbidden)
+            expect(json_response['message']).to eq('403 Forbidden  - An internal user cannot be deactivated by the API')
+          end
+        end
        context 'for a user that does not exist' do
          before do
            post api("/users/0/deactivate", admin)