summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2015-12-02 11:14:02 -0800
committerStan Hu <stanhu@gmail.com>2015-12-02 11:14:02 -0800
commitcc5251336747c73073f52be304c8550723c83e7f (patch)
tree5077b1907ed64b406c34422a05f871209a057ce7
parentefead2cf1604465bf5b840905571356fc2ef98a2 (diff)
parentec754d221368fad2b765fa60c665a461b2b29c78 (diff)
downloadgitlab-ce-cc5251336747c73073f52be304c8550723c83e7f.tar.gz
Merge pull request #9873 from atomaka/atomaka/feature/prevent-blocked-impersonation
Prevent impersonation if blocked
-rw-r--r--app/controllers/admin/impersonation_controller.rb16
-rw-r--r--app/views/admin/users/_head.html.haml2
-rw-r--r--spec/controllers/admin/impersonation_controller_spec.rb19
-rw-r--r--spec/features/admin/admin_users_spec.rb10
4 files changed, 41 insertions, 6 deletions
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index 0382402afa6..bf98af78615 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
before_action :authorize_impersonator!
def create
- session[:impersonator_id] = current_user.username
- session[:impersonator_return_to] = request.env['HTTP_REFERER']
+ if @user.blocked?
+ flash[:alert] = "You cannot impersonate a blocked user"
- warden.set_user(user, scope: 'user')
+ redirect_to admin_user_path(@user)
+ else
+ session[:impersonator_id] = current_user.username
+ session[:impersonator_return_to] = admin_user_path(@user)
+
+ warden.set_user(user, scope: 'user')
- flash[:alert] = "You are impersonating #{user.username}."
+ flash[:alert] = "You are impersonating #{user.username}."
- redirect_to root_path
+ redirect_to root_path
+ end
end
def destroy
diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml
index 8d1cab4137c..5e17b018163 100644
--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -6,7 +6,7 @@
%span.cred (Admin)
.pull-right
- - unless @user == current_user
+ - unless @user == current_user || @user.blocked?
= link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
= link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
%i.fa.fa-pencil-square-o
diff --git a/spec/controllers/admin/impersonation_controller_spec.rb b/spec/controllers/admin/impersonation_controller_spec.rb
new file mode 100644
index 00000000000..d7a7ba1c5b6
--- /dev/null
+++ b/spec/controllers/admin/impersonation_controller_spec.rb
@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Admin::ImpersonationController do
+ let(:admin) { create(:admin) }
+
+ before do
+ sign_in(admin)
+ end
+
+ describe 'CREATE #impersonation when blocked' do
+ let(:blocked_user) { create(:user, state: :blocked) }
+
+ it 'does not allow impersonation' do
+ post :create, id: blocked_user.username
+
+ expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
+ end
+ end
+end
diff --git a/spec/features/admin/admin_users_spec.rb b/spec/features/admin/admin_users_spec.rb
index 86f01faffb4..4570e409128 100644
--- a/spec/features/admin/admin_users_spec.rb
+++ b/spec/features/admin/admin_users_spec.rb
@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do
expect(page).not_to have_content('Impersonate')
end
+
+ it 'should not show impersonate button for blocked user' do
+ another_user.block
+
+ visit admin_user_path(another_user)
+
+ expect(page).not_to have_content('Impersonate')
+
+ another_user.activate
+ end
end
context 'when impersonating' do