Merge branch 'prevent-api-initiating-user-blocking' into 'master'

Prevent user blocking themselves through API See merge request gitlab-org/gitlab!80224

Merge branch 'prevent-api-initiating-user-blocking' into 'master'
Prevent user blocking themselves through API See merge request gitlab-org/gitlab!80224
3440efae · Alex Pooley · dd45cf5d · 71678a24 · 3440efae · 3440efae
Commit 3440efae authored Mar 09, 2022 by Alex Pooley
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

lib/api/users.rb lib/api/users.rb +2 -0

spec/requests/api/users_spec.rb spec/requests/api/users_spec.rb +12 -0

No files found.
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -702,6 +702,8 @@ module API

        if user.ldap_blocked?
          forbidden!('LDAP blocked users cannot be modified by the API')
+        elsif current_user == user
+          forbidden!('The API initiating user cannot be blocked by the API')
        end

        break if user.blocked?

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -3117,6 +3117,18 @@ RSpec.describe API::Users do
          expect(response.body).to eq('null')
        end
      end
+
+      context 'with the API initiating user' do
+        let(:user_id) { admin.id }
+
+        it 'does not block the API initiating user, returns 403' do
+          block_user
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(json_response['message']).to eq('403 Forbidden - The API initiating user cannot be blocked by the API')
+          expect(admin.reload.state).to eq('active')
+        end
+      end
    end

    it 'is not available for non admin users' do