Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

5 files changed, 67 insertions, 2 deletions

diff --git a/app/services/users/approve_service.rb b/app/services/users/approve_service.rb
new file mode 100644
index 00000000000..228cfbd6947
--- /dev/null
+++ b/app/services/users/approve_service.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Users
+  class ApproveService < BaseService
+    def initialize(current_user)
+      @current_user = current_user
+    end
+
+    def execute(user)
+      return error(_('You are not allowed to approve a user')) unless allowed?
+      return error(_('The user you are trying to approve is not pending an approval')) unless approval_required?(user)
+
+      if user.activate
+        # Resends confirmation email if the user isn't confirmed yet.
+        # Please see Devise's implementation of `resend_confirmation_instructions` for detail.
+        user.resend_confirmation_instructions
+        user.accept_pending_invitations! if user.active_for_authentication?
+
+        success
+      else
+        error(user.errors.full_messages.uniq.join('. '))
+      end
+    end
+
+    private
+
+    attr_reader :current_user
+
+    def allowed?
+      can?(current_user, :approve_user)
+    end
+
+    def approval_required?(user)
+      user.blocked_pending_approval?
+    end
+  end
+end
diff --git a/app/services/users/block_service.rb b/app/services/users/block_service.rb
index 041db731875..8513664ee85 100644
--- a/app/services/users/block_service.rb
+++ b/app/services/users/block_service.rb
@@ -7,6 +7,8 @@ module Users
     end
 
     def execute(user)
+      return error('An internal user cannot be blocked', 403) if user.internal?
+
       if user.block
         after_block_hook(user)
         success
diff --git a/app/services/users/build_service.rb b/app/services/users/build_service.rb
index 2fc46f033dd..e3f02bf85f0 100644
--- a/app/services/users/build_service.rb
+++ b/app/services/users/build_service.rb
@@ -104,7 +104,6 @@ module Users
     def build_user_params(skip_authorization:)
       if current_user&.admin?
         user_params = params.slice(*admin_create_params)
-        user_params[:created_by_id] = current_user&.id
 
         if params[:reset_password]
           user_params.merge!(force_random_password: true, password_expires_at: nil)
@@ -125,6 +124,8 @@ module Users
         end
       end
 
+      user_params[:created_by_id] = current_user&.id
+
       if user_default_internal_regex_enabled? && !user_params.key?(:external)
         user_params[:external] = user_external?
       end
diff --git a/app/services/users/destroy_service.rb b/app/services/users/destroy_service.rb
index 436d4fb3985..613d2e4ad82 100644
--- a/app/services/users/destroy_service.rb
+++ b/app/services/users/destroy_service.rb
@@ -26,7 +26,7 @@ module Users
     def execute(user, options = {})
       delete_solo_owned_groups = options.fetch(:delete_solo_owned_groups, options[:hard_delete])
 
-      unless Ability.allowed?(current_user, :destroy_user, user)
+      unless Ability.allowed?(current_user, :destroy_user, user) || options[:skip_authorization]
         raise Gitlab::Access::AccessDeniedError, "#{current_user} tried to destroy user #{user}!"
       end
 
diff --git a/app/services/users/validate_otp_service.rb b/app/services/users/validate_otp_service.rb
new file mode 100644
index 00000000000..a9ce7959aea
--- /dev/null
+++ b/app/services/users/validate_otp_service.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Users
+  class ValidateOtpService < BaseService
+    def initialize(current_user)
+      @current_user = current_user
+      @strategy = if Feature.enabled?(:forti_authenticator, current_user)
+                    ::Gitlab::Auth::Otp::Strategies::FortiAuthenticator.new(current_user)
+                  else
+                    ::Gitlab::Auth::Otp::Strategies::Devise.new(current_user)
+                  end
+    end
+
+    def execute(otp_code)
+      strategy.validate(otp_code)
+    rescue StandardError => ex
+      Gitlab::ErrorTracking.log_exception(ex)
+      error(message: ex.message)
+    end
+
+    private
+
+    attr_reader :strategy
+  end
+end