Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-10-10 00:06:44 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-10-10 00:06:44 +0000
commit: 308146dc398fd4c13453048105498018459e0985 (patch)
tree: d843eb63c1672e4b18c483907e2cd4aa7fca708e /spec/requests/api
parent: 4b28d5ae770c6bd332283a3f13ceae06329c409b (diff)
download: gitlab-ce-308146dc398fd4c13453048105498018459e0985.tar.gz
3 files changed, 205 insertions, 16 deletions
diff --git a/spec/requests/api/doorkeeper_access_spec.rb b/spec/requests/api/doorkeeper_access_spec.rb
index d74484c8d29..cfee3f6c0f8 100644
--- a/spec/requests/api/doorkeeper_access_spec.rb
+++ b/spec/requests/api/doorkeeper_access_spec.rb
@@ -38,21 +38,35 @@ describe 'doorkeeper access' do
     end
   end
 
-  describe "when user is blocked" do
-    it "returns authorization error" do
-      user.block
+  shared_examples 'forbidden request' do
+    it 'returns 403 response' do
       get api("/user"), params: { access_token: token.token }
 
       expect(response).to have_gitlab_http_status(403)
     end
   end
 
-  describe "when user is ldap_blocked" do
-    it "returns authorization error" do
+  context "when user is blocked" do
+    before do
+      user.block
+    end
+
+    it_behaves_like 'forbidden request'
+  end
+
+  context "when user is ldap_blocked" do
+    before do
       user.ldap_block
-      get api("/user"), params: { access_token: token.token }
+    end
 
-      expect(response).to have_gitlab_http_status(403)
+    it_behaves_like 'forbidden request'
+  end
+
+  context "when user is deactivated" do
+    before do
+      user.deactivate
     end
+
+    it_behaves_like 'forbidden request'
   end
 end
diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb
index 2280d8ca9d4..7161d6f0a10 100644
--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -237,14 +237,6 @@ describe API::Internal::Base do
       expect(json_response['name']).to eq(user.name)
     end
 
-    it "finds a user by user id" do
-      get(api("/internal/discover"), params: { user_id: user.id, secret_token: secret_token })
-
-      expect(response).to have_gitlab_http_status(200)
-
-      expect(json_response['name']).to eq(user.name)
-    end
-
     it "finds a user by username" do
       get(api("/internal/discover"), params: { username: user.username, secret_token: secret_token })
 
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index df76b62b40e..0d190ae069e 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -1846,6 +1846,182 @@ describe API::Users do
     end
   end
 
+  context 'activate and deactivate' do
+    shared_examples '404' do
+      it 'returns 404' do
+        expect(response).to have_gitlab_http_status(404)
+        expect(json_response['message']).to eq('404 User Not Found')
+      end
+    end
+
+    describe 'POST /users/:id/activate' do
+      context 'performed by a non-admin user' do
+        it 'is not authorized to perform the action' do
+          post api("/users/#{user.id}/activate", user)
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+
+      context 'performed by an admin user' do
+        context 'for a deactivated user' do
+          before do
+            user.deactivate
+
+            post api("/users/#{user.id}/activate", admin)
+          end
+
+          it 'activates a deactivated user' do
+            expect(response).to have_gitlab_http_status(201)
+            expect(user.reload.state).to eq('active')
+          end
+        end
+
+        context 'for an active user' do
+          before do
+            user.activate
+
+            post api("/users/#{user.id}/activate", admin)
+          end
+
+          it 'returns 201' do
+            expect(response).to have_gitlab_http_status(201)
+            expect(user.reload.state).to eq('active')
+          end
+        end
+
+        context 'for a blocked user' do
+          before do
+            user.block
+
+            post api("/users/#{user.id}/activate", admin)
+          end
+
+          it 'returns 403' do
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response['message']).to eq('403 Forbidden  - A blocked user must be unblocked to be activated')
+            expect(user.reload.state).to eq('blocked')
+          end
+        end
+
+        context 'for a ldap blocked user' do
+          before do
+            user.ldap_block
+
+            post api("/users/#{user.id}/activate", admin)
+          end
+
+          it 'returns 403' do
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response['message']).to eq('403 Forbidden  - A blocked user must be unblocked to be activated')
+            expect(user.reload.state).to eq('ldap_blocked')
+          end
+        end
+
+        context 'for a user that does not exist' do
+          before do
+            post api("/users/0/activate", admin)
+          end
+
+          it_behaves_like '404'
+        end
+      end
+    end
+
+    describe 'POST /users/:id/deactivate' do
+      context 'performed by a non-admin user' do
+        it 'is not authorized to perform the action' do
+          post api("/users/#{user.id}/deactivate", user)
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+
+      context 'performed by an admin user' do
+        context 'for an active user' do
+          let(:activity) { {} }
+          let(:user) { create(:user, username: 'user.with.dot', **activity) }
+
+          context 'with no recent activity' do
+            let(:activity) { { last_activity_on: ::User::MINIMUM_INACTIVE_DAYS.next.days.ago } }
+
+            before do
+              post api("/users/#{user.id}/deactivate", admin)
+            end
+
+            it 'deactivates an active user' do
+              expect(response).to have_gitlab_http_status(201)
+              expect(user.reload.state).to eq('deactivated')
+            end
+          end
+
+          context 'with recent activity' do
+            let(:activity) { { last_activity_on: ::User::MINIMUM_INACTIVE_DAYS.pred.days.ago } }
+
+            before do
+              post api("/users/#{user.id}/deactivate", admin)
+            end
+
+            it 'does not deactivate an active user' do
+              expect(response).to have_gitlab_http_status(403)
+              expect(json_response['message']).to eq("403 Forbidden  - The user you are trying to deactivate has been active in the past #{::User::MINIMUM_INACTIVE_DAYS} days and cannot be deactivated")
+              expect(user.reload.state).to eq('active')
+            end
+          end
+        end
+
+        context 'for a deactivated user' do
+          before do
+            user.deactivate
+
+            post api("/users/#{user.id}/deactivate", admin)
+          end
+
+          it 'returns 201' do
+            expect(response).to have_gitlab_http_status(201)
+            expect(user.reload.state).to eq('deactivated')
+          end
+        end
+
+        context 'for a blocked user' do
+          before do
+            user.block
+
+            post api("/users/#{user.id}/deactivate", admin)
+          end
+
+          it 'returns 403' do
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response['message']).to eq('403 Forbidden  - A blocked user cannot be deactivated by the API')
+            expect(user.reload.state).to eq('blocked')
+          end
+        end
+
+        context 'for a ldap blocked user' do
+          before do
+            user.ldap_block
+
+            post api("/users/#{user.id}/deactivate", admin)
+          end
+
+          it 'returns 403' do
+            expect(response).to have_gitlab_http_status(403)
+            expect(json_response['message']).to eq('403 Forbidden  - A blocked user cannot be deactivated by the API')
+            expect(user.reload.state).to eq('ldap_blocked')
+          end
+        end
+
+        context 'for a user that does not exist' do
+          before do
+            post api("/users/0/deactivate", admin)
+          end
+
+          it_behaves_like '404'
+        end
+      end
+    end
+  end
+
   describe 'POST /users/:id/block' do
     before do
       admin
@@ -1878,6 +2054,7 @@ describe API::Users do
 
   describe 'POST /users/:id/unblock' do
     let(:blocked_user) { create(:user, state: 'blocked') }
+    let(:deactivated_user) { create(:user, state: 'deactivated') }
 
     before do
       admin
@@ -1901,7 +2078,13 @@ describe API::Users do
       expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
     end
 
-    it 'does not be available for non admin users' do
+    it 'does not unblock deactivated users' do
+      post api("/users/#{deactivated_user.id}/unblock", admin)
+      expect(response).to have_gitlab_http_status(403)
+      expect(deactivated_user.reload.state).to eq('deactivated')
+    end
+
+    it 'is not available for non admin users' do
       post api("/users/#{user.id}/unblock", user)
       expect(response).to have_gitlab_http_status(403)
       expect(user.reload.state).to eq('active')
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-10-10 00:06:44 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-10-10 00:06:44 +0000
commit	308146dc398fd4c13453048105498018459e0985 (patch)
tree	d843eb63c1672e4b18c483907e2cd4aa7fca708e /spec/requests/api
parent	4b28d5ae770c6bd332283a3f13ceae06329c409b (diff)
download	gitlab-ce-308146dc398fd4c13453048105498018459e0985.tar.gz