summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2017-02-21 18:14:02 +0000
committerStan Hu <stanhu@gmail.com>2017-02-21 18:14:02 +0000
commit3619c221a13e915537be97603421381ce0e6765f (patch)
tree5e8a42ccb646e3e8c95f1342e56362ba2342c84a /app
parent5a381e58bf71ff3e588707fa92f46c7b0cb4d9d0 (diff)
parente23c803769955d6728ed048112f8ca21e9b58a47 (diff)
downloadgitlab-ce-3619c221a13e915537be97603421381ce0e6765f.tar.gz
Merge branch 'sh-delete-user-permission-check' into 'master'
Add user deletion permission check in `Users::DestroyService` See merge request !8974
Diffstat (limited to 'app')
-rw-r--r--app/services/users/destroy_service.rb4
-rw-r--r--app/workers/delete_user_worker.rb2
2 files changed, 6 insertions, 0 deletions
diff --git a/app/services/users/destroy_service.rb b/app/services/users/destroy_service.rb
index 2d11305be13..bc0653cb634 100644
--- a/app/services/users/destroy_service.rb
+++ b/app/services/users/destroy_service.rb
@@ -7,6 +7,10 @@ module Users
end
def execute(user, options = {})
+ unless current_user.admin? || current_user == user
+ raise Gitlab::Access::AccessDeniedError, "#{current_user} tried to destroy user #{user}!"
+ end
+
if !options[:delete_solo_owned_groups] && user.solo_owned_groups.present?
user.errors[:base] << 'You must transfer ownership or delete groups before you can remove user'
return user
diff --git a/app/workers/delete_user_worker.rb b/app/workers/delete_user_worker.rb
index 5483bbb210b..3340a7be4fe 100644
--- a/app/workers/delete_user_worker.rb
+++ b/app/workers/delete_user_worker.rb
@@ -7,5 +7,7 @@ class DeleteUserWorker
current_user = User.find(current_user_id)
Users::DestroyService.new(current_user).execute(delete_user, options.symbolize_keys)
+ rescue Gitlab::Access::AccessDeniedError => e
+ Rails.logger.warn("User could not be destroyed: #{e}")
end
end
View Lorry Controller Status