Commit df1ad388 authored by manojmj's avatar manojmj

Do not allow deactivated users to use Slash Commands

This change prevents deactivated users from
using slash commands.
parent 1987c8a7
...@@ -33,9 +33,12 @@ class SlashCommandsService < Service ...@@ -33,9 +33,12 @@ class SlashCommandsService < Service
return unless valid_token?(params[:token]) return unless valid_token?(params[:token])
chat_user = find_chat_user(params) chat_user = find_chat_user(params)
user = chat_user&.user
if user
unless user.can?(:use_slash_commands)
return Gitlab::SlashCommands::Presenters::Access.new.deactivated if user.deactivated?
if chat_user&.user
unless chat_user.user.can?(:use_slash_commands)
return Gitlab::SlashCommands::Presenters::Access.new.access_denied(project) return Gitlab::SlashCommands::Presenters::Access.new.access_denied(project)
end end
......
...@@ -48,6 +48,7 @@ class GlobalPolicy < BasePolicy ...@@ -48,6 +48,7 @@ class GlobalPolicy < BasePolicy
prevent :access_git prevent :access_git
prevent :access_api prevent :access_api
prevent :receive_notifications prevent :receive_notifications
prevent :use_slash_commands
end end
rule { required_terms_not_accepted }.policy do rule { required_terms_not_accepted }.policy do
......
...@@ -9,6 +9,8 @@ ...@@ -9,6 +9,8 @@
= s_('AdminUsers|The user will not be able to access the API') = s_('AdminUsers|The user will not be able to access the API')
%li %li
= s_('AdminUsers|The user will not receive any notifications') = s_('AdminUsers|The user will not receive any notifications')
%li
= s_('AdminUsers|The user will not be able to use slash commands')
%li %li
= s_('AdminUsers|When the user logs back in, their account will reactivate as a fully active account') = s_('AdminUsers|When the user logs back in, their account will reactivate as a fully active account')
%li %li
......
---
title: Do not allow deactivated users to use slash commands
merge_request: 18365
author:
type: fixed
...@@ -55,6 +55,7 @@ A deactivated user: ...@@ -55,6 +55,7 @@ A deactivated user:
- Cannot access Git repositories or the API. - Cannot access Git repositories or the API.
- Will not receive any notifications from GitLab. - Will not receive any notifications from GitLab.
- Will not be able to use [slash commands](../../../integration/slash_commands.md).
Personal projects, group and user history of the deactivated user will be left intact. Personal projects, group and user history of the deactivated user will be left intact.
......
...@@ -15,6 +15,15 @@ module Gitlab ...@@ -15,6 +15,15 @@ module Gitlab
MESSAGE MESSAGE
end end
def deactivated
ephemeral_response(text: <<~MESSAGE)
You are not allowed to perform the given chatops command since
your account has been deactivated by your administrator.
Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}
MESSAGE
end
def not_found def not_found
ephemeral_response(text: "404 not found! GitLab couldn't find what you were looking for! :boom:") ephemeral_response(text: "404 not found! GitLab couldn't find what you were looking for! :boom:")
end end
......
...@@ -1252,6 +1252,9 @@ msgstr "" ...@@ -1252,6 +1252,9 @@ msgstr ""
msgid "AdminUsers|The user will not be able to access the API" msgid "AdminUsers|The user will not be able to access the API"
msgstr "" msgstr ""
msgid "AdminUsers|The user will not be able to use slash commands"
msgstr ""
msgid "AdminUsers|The user will not receive any notifications" msgid "AdminUsers|The user will not receive any notifications"
msgstr "" msgstr ""
......
...@@ -3,6 +3,13 @@ ...@@ -3,6 +3,13 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::SlashCommands::Presenters::Access do describe Gitlab::SlashCommands::Presenters::Access do
shared_examples_for 'displays an error message' do
it do
expect(subject[:text]).to match(error_message)
expect(subject[:response_type]).to be(:ephemeral)
end
end
describe '#access_denied' do describe '#access_denied' do
let(:project) { build(:project) } let(:project) { build(:project) }
...@@ -10,9 +17,18 @@ describe Gitlab::SlashCommands::Presenters::Access do ...@@ -10,9 +17,18 @@ describe Gitlab::SlashCommands::Presenters::Access do
it { is_expected.to be_a(Hash) } it { is_expected.to be_a(Hash) }
it 'displays an error message' do it_behaves_like 'displays an error message' do
expect(subject[:text]).to match('are not allowed') let(:error_message) { 'you do not have access to the GitLab project' }
expect(subject[:response_type]).to be(:ephemeral) end
end
describe '#deactivated' do
subject { described_class.new.deactivated }
it { is_expected.to be_a(Hash) }
it_behaves_like 'displays an error message' do
let(:error_message) { 'your account has been deactivated by your administrator' }
end end
end end
......
...@@ -288,6 +288,14 @@ describe GlobalPolicy do ...@@ -288,6 +288,14 @@ describe GlobalPolicy do
it { is_expected.not_to be_allowed(:use_slash_commands) } it { is_expected.not_to be_allowed(:use_slash_commands) }
end end
context 'when deactivated' do
before do
current_user.deactivate
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
end
context 'when access locked' do context 'when access locked' do
before do before do
current_user.lock_access! current_user.lock_access!
......
...@@ -94,16 +94,32 @@ RSpec.shared_examples 'chat slash commands service' do ...@@ -94,16 +94,32 @@ RSpec.shared_examples 'chat slash commands service' do
subject.trigger(params) subject.trigger(params)
end end
shared_examples_for 'blocks command execution' do
it do
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
result = subject.trigger(params)
expect(result[:text]).to match(error_message)
end
end
context 'when user is blocked' do context 'when user is blocked' do
before do before do
chat_name.user.block chat_name.user.block
end end
it 'blocks command execution' do it_behaves_like 'blocks command execution' do
expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute) let(:error_message) { 'you do not have access to the GitLab project' }
end
end
result = subject.trigger(params) context 'when user is deactivated' do
expect(result).to include(text: /^You are not allowed/) before do
chat_name.user.deactivate
end
it_behaves_like 'blocks command execution' do
let(:error_message) { 'your account has been deactivated by your administrator' }
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment