diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-01-14 11:00:08 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-01-14 11:00:08 +0000 |
commit | 4d64a32c88dd5f87621d391c0f10f6acef094073 (patch) | |
tree | 1a6f479e09c97d2e0526da4405c98f57f9825456 /spec/services | |
parent | cda9635441fee1543966830a0ba1d95221b2a379 (diff) | |
parent | dd6fc01ff8a073880b67a323a547edeb5d63f167 (diff) | |
download | gitlab-ce-4d64a32c88dd5f87621d391c0f10f6acef094073.tar.gz |
Merge branch 'feature/ldap-sync-edgecases' into 'master'
LDAP Sync blocked user edgecases
Allow GitLab admins to block otherwise valid GitLab LDAP users
(https://gitlab.com/gitlab-org/gitlab-ce/issues/3462)
Based on the discussion on the original issue, we are going to differentiate "normal" block operations to the ldap automatic ones in order to make some decisions when its one or the other.
Expected behavior:
- [x] "ldap_blocked" users respond to both `blocked?` and `ldap_blocked?`
- [x] "ldap_blocked" users can't be unblocked by the Admin UI
- [x] "ldap_blocked" users can't be unblocked by the API
- [x] Block operations that are originated from LDAP synchronization will flag user as "ldap_blocked"
- [x] Only "ldap_blocked" users will be automatically unblocked by LDAP synchronization
- [x] When LDAP identity is removed, we should convert `ldap_blocked` into `blocked`
Mockup for the Admin UI with both "ldap_blocked" and normal "blocked" users:
![image](/uploads/4f56fc17b73cb2c9e2a154a22e7ad291/image.png)
There will be another MR for the EE version.
See merge request !2242
Diffstat (limited to 'spec/services')
-rw-r--r-- | spec/services/repair_ldap_blocked_user_service_spec.rb | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/spec/services/repair_ldap_blocked_user_service_spec.rb b/spec/services/repair_ldap_blocked_user_service_spec.rb new file mode 100644 index 00000000000..ce7d1455975 --- /dev/null +++ b/spec/services/repair_ldap_blocked_user_service_spec.rb @@ -0,0 +1,23 @@ +require 'spec_helper' + +describe RepairLdapBlockedUserService, services: true do + let(:user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') } + let(:identity) { user.ldap_identity } + subject(:service) { RepairLdapBlockedUserService.new(user) } + + describe '#execute' do + it 'change to normal block after destroying last ldap identity' do + identity.destroy + service.execute + + expect(user.reload).not_to be_ldap_blocked + end + + it 'change to normal block after changing last ldap identity to another provider' do + identity.update_attribute(:provider, 'twitter') + service.execute + + expect(user.reload).not_to be_ldap_blocked + end + end +end |