Block user if he/she was blocked in Active Directory

3 files changed, 15 insertions, 2 deletions

diff --git a/CHANGELOG b/CHANGELOG
index b0adaeb101b..3e0bf6e700a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -59,6 +59,7 @@ v 7.9.0 (unreleased)
   - Added blue thmeme
   - Remove annoying notice messages when create/update merge request
   - Allow smb:// links in Markdown text.
+  - Block user if he/she was blocked in Active Directory
 
 v 7.8.4
   - Fix issue_tracker_id substitution in custom issue trackers
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 0c85acf7e69..6e30724e1f7 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -34,7 +34,14 @@ module Gitlab
       def allowed?
         if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
           return true unless ldap_config.active_directory
-          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+
+          # Block user in GitLab if he/she was blocked in AD
+          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+            user.block unless user.blocked?
+            false
+          else
+            true
+          end
         else
           false
         end
diff --git a/spec/lib/gitlab/ldap/access_spec.rb b/spec/lib/gitlab/ldap/access_spec.rb
index a2b05249147..39d46efcbc3 100644
--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -20,6 +20,11 @@ describe Gitlab::LDAP::Access do
         before { Gitlab::LDAP::Person.stub(disabled_via_active_directory?: true) }
 
         it { is_expected.to be_falsey }
+
+        it "should block user in GitLab" do
+          access.allowed?
+          user.should be_blocked
+        end
       end
 
       context 'and has no disabled flag in active diretory' do
@@ -38,4 +43,4 @@ describe Gitlab::LDAP::Access do
       end
     end
   end
-end
\ No newline at end of file
+end