Merge branch 'api-user-blocking' into 'master'

Allow user to be blocked and activated via the API

When authenticating against LDAP if a user has been disabled in LDAP they can no longer log on to the website or commit over http(s) but will be able to commit using any ssh keys.  This functionality allows us to look for users in GitLab that no longer exist in LDAP and disable then in GitLab.

Closes Feedback item: [Add administrative API call to block users](http://feedback.gitlab.com/forums/176466-general/suggestions/4098632-add-administrative-api-call-to-block-users)

See merge request !587

4 files changed, 110 insertions, 0 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 65be4bdf16c..4874f88f12f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,7 @@ v 7.13.0 (unreleased)
   - Faster automerge check and merge itself when source and target branches are in same repository 
   - Correctly show anonymous authorized applications under Profile > Applications.
   - Query Optimization in MySQL.
+  - Allow users to be blocked and unblocked via the API
 
 v 7.12.1
   - Fix error when deleting a user who has projects (Stan Hu)
diff --git a/doc/api/users.md b/doc/api/users.md
index 8b04282f160..5dca77b5c7b 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -396,3 +396,31 @@ Parameters:
 - `id` (required)  - SSH key ID
 
 Will return `200 OK` on success, or `404 Not found` if either user or key cannot be found.
+
+## Block user
+
+Blocks the specified user.  Available only for admin.
+
+```
+PUT /users/:uid/block
+```
+
+Parameters:
+
+- `uid` (required) - id of specified user
+
+Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
+
+## Unblock user
+
+Unblocks the specified user.  Available only for admin.
+
+```
+PUT /users/:uid/unblock
+```
+
+Parameters:
+
+- `uid` (required) - id of specified user
+
+Will return `200 OK` on success, or `404 User Not Found` is user cannot be found.
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 9b268cfe8bc..c468371d3d4 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -199,6 +199,36 @@ module API
           not_found!('User')
         end
       end
+
+      # Block user. Available only for admin
+      #
+      # Example Request:
+      #   PUT /users/:id/block
+      put ':id/block' do
+        authenticated_as_admin!
+        user = User.find_by(id: params[:id])
+
+        if user
+          user.block
+        else
+          not_found!('User')
+        end
+      end
+
+      # Unblock user. Available only for admin
+      #
+      # Example Request:
+      #   PUT /users/:id/unblock
+      put ':id/unblock' do
+        authenticated_as_admin!
+        user = User.find_by(id: params[:id])
+
+        if user
+          user.activate
+        else
+          not_found!('User')
+        end
+      end
     end
 
     resource :user do
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 1a29058f3f1..c4dd1f76cf2 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -527,4 +527,55 @@ describe API::API, api: true  do
       expect(response.status).to eq(401)
     end
   end
+
+  describe 'PUT /user/:id/block' do
+    before { admin }
+    it 'should block existing user' do
+      put api("/users/#{user.id}/block", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('blocked')
+    end
+
+    it 'should not be available for non admin users' do
+      put api("/users/#{user.id}/block", user)
+      expect(response.status).to eq(403)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should return a 404 error if user id not found' do
+      put api('/users/9999/block', admin)
+      expect(response.status).to eq(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+  end
+
+  describe 'PUT /user/:id/unblock' do
+    before { admin }
+    it 'should unblock existing user' do
+      put api("/users/#{user.id}/unblock", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should unblock a blocked user' do
+      put api("/users/#{user.id}/block", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('blocked')
+      put api("/users/#{user.id}/unblock", admin)
+      expect(response.status).to eq(200)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should not be available for non admin users' do
+      put api("/users/#{user.id}/unblock", user)
+      expect(response.status).to eq(403)
+      expect(user.reload.state).to eq('active')
+    end
+
+    it 'should return a 404 error if user id not found' do
+      put api('/users/9999/block', admin)
+      expect(response.status).to eq(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
+  end
 end