Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce

6 files changed, 113 insertions, 2 deletions

diff --git a/CHANGELOG b/CHANGELOG
index ec28ffac92f..4874f88f12f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.13.0 (unreleased)
+  - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
   - Fix external issue tracker hook/test for HTTPS URLs (Daniel Gerhardt)
   - Remove link leading to a 404 error in Deploy Keys page (Stan Hu)
   - Add support for unlocking users in admin settings (Stan Hu)
@@ -34,6 +35,7 @@ v 7.13.0 (unreleased)
   - Faster automerge check and merge itself when source and target branches are in same repository 
   - Correctly show anonymous authorized applications under Profile > Applications.
   - Query Optimization in MySQL.
+  - Allow users to be blocked and unblocked via the API
 
 v 7.12.1
   - Fix error when deleting a user who has projects (Stan Hu)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index a9dcf67b1e2..69abadb151a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -67,7 +67,7 @@ To start with GitLab download the [GitLab Development Kit](https://gitlab.com/gi
 
 If you can, please submit a merge request with the fix or improvements including tests. If you don't know how to fix the issue but can write a test that exposes the issue we will accept that as well. In general bug fixes that include a regression test are merged quickly while new features without proper tests are least likely to receive timely feedback. The workflow to make a merge request is as follows:
 
-1. Fork the project on GitLab Cloud
+1. Fork the project into your personal space on GitLab.com
 1. Create a feature branch
 1. Write [tests](https://gitlab.com/gitlab-org/gitlab-development-kit#running-the-tests) and code
 1. Add your changes to the [CHANGELOG](CHANGELOG)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a657d3c54ee..63fc146f1d1 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -56,7 +56,7 @@ class ApplicationController < ActionController::Base
   def authenticate_user!(*args)
     # If user is not signed-in and tries to access root_path - redirect him to landing page
     if current_application_settings.home_page_url.present?
-      if current_user.nil? && controller_name == 'dashboard' && action_name == 'show'
+      if current_user.nil? && root_path == request.path
         redirect_to current_application_settings.home_page_url and return
       end
     end
diff --git a/doc/api/users.md b/doc/api/users.md
index 8b04282f160..5dca77b5c7b 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -396,3 +396,31 @@ Parameters:
 - `id` (required)  - SSH key ID
 
 Will return `200 OK` on success, or `404 Not found` if either user or key cannot be found.
+
+## Block user
+
+Blocks the specified user.  Available only for admin.
+
+```
+PUT /users/:uid/block
+```
+
+Parameters:
+
+- `uid` (required) - id of specified user
+
+Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+
+## Unblock user
+
+Unblocks the specified user.  Available only for admin.
+
+```
+PUT /users/:uid/unblock
+```
+
+Parameters:
+
+- `uid` (required) - id of specified user
+
+Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 9b268cfe8bc..c468371d3d4 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -199,6 +199,36 @@ module API
           not_found!('User')
         end
       end
+
+      # Block user. Available only for admin
+      #
+      # Example Request:
+      #   PUT /users/:id/block
+      put ':id/block' do
+        authenticated_as_admin!
+        user = User.find_by(id: params[:id])
+
+        if user
+          user.block
+        else
+          not_found!('User')
+        end
+      end
+
+      # Unblock user. Available only for admin
+      #
+      # Example Request:
+      #   PUT /users/:id/unblock
+      put ':id/unblock' do
+        authenticated_as_admin!
+        user = User.find_by(id: params[:id])
+
+        if user
+          user.activate
+        else
+          not_found!('User')
+        end
+      end
     end
 
     resource :user do
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 1a29058f3f1..c4dd1f76cf2 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -527,4 +527,55 @@ describe API::API, api: true  do
       expect(response.status).to eq(401)
     end
   end
+
+  describe 'PUT /user/:id/block' do
+    before { admin }
+    it 'should block existing user' do
+      put api("/users/#{user.id}/block", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('blocked')
+    end
+
+    it 'should not be available for non admin users' do
+      put api("/users/#{user.id}/block", user)
+      expect(response.status).to eq(403)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should return a 404 error if user id not found' do
+      put api('/users/9999/block', admin)
+      expect(response.status).to eq(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+  end
+
+  describe 'PUT /user/:id/unblock' do
+    before { admin }
+    it 'should unblock existing user' do
+      put api("/users/#{user.id}/unblock", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should unblock a blocked user' do
+      put api("/users/#{user.id}/block", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('blocked')
+      put api("/users/#{user.id}/unblock", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should not be available for non admin users' do
+      put api("/users/#{user.id}/unblock", user)
+      expect(response.status).to eq(403)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should return a 404 error if user id not found' do
+      put api('/users/9999/block', admin)
+      expect(response.status).to eq(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+  end
 end