Do not allow deactivated users to use Slash Commands

This change prevents deactivated users from
using slash commands.

app/models/project_services/slash_commands_service.rb

@@ -33,9 +33,12 @@ class SlashCommandsService < Service
     return unless valid_token?(params[:token])
 
     chat_user = find_chat_user(params)
+    user = chat_user&.user
+
+    if user
+      unless user.can?(:use_slash_commands)
+        return Gitlab::SlashCommands::Presenters::Access.new.deactivated if user.deactivated?
 
-    if chat_user&.user
-      unless chat_user.user.can?(:use_slash_commands)
         return Gitlab::SlashCommands::Presenters::Access.new.access_denied(project)
       end
 

app/policies/global_policy.rb

@@ -48,6 +48,7 @@ class GlobalPolicy < BasePolicy
     prevent :access_git
     prevent :access_api
     prevent :receive_notifications
+    prevent :use_slash_commands
   end
 
   rule { required_terms_not_accepted }.policy do

app/views/admin/users/_user_deactivation_effects.html.haml

@@ -9,6 +9,8 @@
     = s_('AdminUsers|The user will not be able to access the API')
   %li
     = s_('AdminUsers|The user will not receive any notifications')
+  %li
+    = s_('AdminUsers|The user will not be able to use slash commands')
   %li
     = s_('AdminUsers|When the user logs back in, their account will reactivate as a fully active account')
   %li

changelogs/unreleased/33750-follow-up-from-resolve-deactivate-a-user-with-self-service-reactiva.yml

+---
+title: Do not allow deactivated users to use slash commands
+merge_request: 18365
+author:
+type: fixed

doc/user/profile/account/delete_account.md

@@ -55,6 +55,7 @@ A deactivated user:
 
 - Cannot access Git repositories or the API.
 - Will not receive any notifications from GitLab.
+- Will not be able to use [slash commands](../../../integration/slash_commands.md).
 
 Personal projects, group and user history of the deactivated user will be left intact.
 

lib/gitlab/slash_commands/presenters/access.rb

@@ -15,6 +15,15 @@ module Gitlab
           MESSAGE
         end
 
+        def deactivated
+          ephemeral_response(text: <<~MESSAGE)
+            You are not allowed to perform the given chatops command since
+            your account has been deactivated by your administrator.
+
+            Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}
+          MESSAGE
+        end
+
         def not_found
           ephemeral_response(text: "404 not found! GitLab couldn't find what you were looking for! :boom:")
         end

locale/gitlab.pot

@@ -1252,6 +1252,9 @@ msgstr ""
 msgid "AdminUsers|The user will not be able to access the API"
 msgstr ""
 
+msgid "AdminUsers|The user will not be able to use slash commands"
+msgstr ""
+
 msgid "AdminUsers|The user will not receive any notifications"
 msgstr ""
 

spec/lib/gitlab/slash_commands/presenters/access_spec.rb

@@ -3,6 +3,13 @@
 require 'spec_helper'
 
 describe Gitlab::SlashCommands::Presenters::Access do
+  shared_examples_for 'displays an error message' do
+    it do
+      expect(subject[:text]).to match(error_message)
+      expect(subject[:response_type]).to be(:ephemeral)
+    end
+  end
+
   describe '#access_denied' do
     let(:project) { build(:project) }
 
@@ -10,9 +17,18 @@ describe Gitlab::SlashCommands::Presenters::Access do
 
     it { is_expected.to be_a(Hash) }
 
-    it 'displays an error message' do
-      expect(subject[:text]).to match('are not allowed')
-      expect(subject[:response_type]).to be(:ephemeral)
+    it_behaves_like 'displays an error message' do
+      let(:error_message) { 'you do not have access to the GitLab project' }
+    end
+  end
+
+  describe '#deactivated' do
+    subject { described_class.new.deactivated }
+
+    it { is_expected.to be_a(Hash) }
+
+    it_behaves_like 'displays an error message' do
+      let(:error_message) { 'your account has been deactivated by your administrator' }
     end
   end
 

spec/policies/global_policy_spec.rb

@@ -288,6 +288,14 @@ describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:use_slash_commands) }
     end
 
+    context 'when deactivated' do
+      before do
+        current_user.deactivate
+      end
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+    end
+
     context 'when access locked' do
       before do
         current_user.lock_access!

spec/support/shared_examples/chat_slash_commands_shared_examples.rb

@@ -94,16 +94,32 @@ RSpec.shared_examples 'chat slash commands service' do
           subject.trigger(params)
         end
 
+        shared_examples_for 'blocks command execution' do
+          it do
+            expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
+
+            result = subject.trigger(params)
+            expect(result[:text]).to match(error_message)
+          end
+        end
+
         context 'when user is blocked' do
           before do
             chat_name.user.block
           end
 
-          it 'blocks command execution' do
-            expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
+          it_behaves_like 'blocks command execution' do
+            let(:error_message) { 'you do not have access to the GitLab project' }
+          end
+        end
 
-            result = subject.trigger(params)
-            expect(result).to include(text: /^You are not allowed/)
+        context 'when user is deactivated' do
+          before do
+            chat_name.user.deactivate
+          end
+
+          it_behaves_like 'blocks command execution' do
+            let(:error_message) { 'your account has been deactivated by your administrator' }
           end
         end
       end