diff options
author | Andrew Tomaka <atomaka@gmail.com> | 2015-12-01 23:40:24 -0500 |
---|---|---|
committer | Andrew Tomaka <atomaka@gmail.com> | 2015-12-02 08:07:29 -0500 |
commit | daca985a6e75d6f43c5cc5b487a0942d5bf93f68 (patch) | |
tree | 579e8734014953e8aaa1c784cd4a857e50c6ed79 | |
parent | 09e712c0fb721059e4b2619eb9fc104257fc492d (diff) | |
download | gitlab-ce-daca985a6e75d6f43c5cc5b487a0942d5bf93f68.tar.gz |
Prevent impersonation if blocked
-rw-r--r-- | app/controllers/admin/impersonation_controller.rb | 16 | ||||
-rw-r--r-- | app/views/admin/users/_head.html.haml | 2 | ||||
-rw-r--r-- | spec/controllers/admin/impersonation_controller_spec.rb | 19 | ||||
-rw-r--r-- | spec/features/admin/admin_users_spec.rb | 10 |
4 files changed, 41 insertions, 6 deletions
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb index 0382402afa6..102dd437402 100644 --- a/app/controllers/admin/impersonation_controller.rb +++ b/app/controllers/admin/impersonation_controller.rb @@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController before_action :authorize_impersonator! def create - session[:impersonator_id] = current_user.username - session[:impersonator_return_to] = request.env['HTTP_REFERER'] + if @user.blocked? + flash[:alert] = "You cannot impersonate a blocked user" - warden.set_user(user, scope: 'user') + redirect_to admin_user_path(@user) + else + session[:impersonator_id] = current_user.username + session[:impersonator_return_to] = request.env['HTTP_REFERER'] + + warden.set_user(user, scope: 'user') - flash[:alert] = "You are impersonating #{user.username}." + flash[:alert] = "You are impersonating #{user.username}." - redirect_to root_path + redirect_to root_path + end end def destroy diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml index 8d1cab4137c..5e17b018163 100644 --- a/app/views/admin/users/_head.html.haml +++ b/app/views/admin/users/_head.html.haml @@ -6,7 +6,7 @@ %span.cred (Admin) .pull-right - - unless @user == current_user + - unless @user == current_user || @user.blocked? = link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info" = link_to edit_admin_user_path(@user), class: "btn btn-grouped" do %i.fa.fa-pencil-square-o diff --git a/spec/controllers/admin/impersonation_controller_spec.rb b/spec/controllers/admin/impersonation_controller_spec.rb new file mode 100644 index 00000000000..d7a7ba1c5b6 --- /dev/null +++ b/spec/controllers/admin/impersonation_controller_spec.rb @@ -0,0 +1,19 @@ +require 'spec_helper' + +describe Admin::ImpersonationController do + let(:admin) { create(:admin) } + + before do + sign_in(admin) + end + + describe 'CREATE #impersonation when blocked' do + let(:blocked_user) { create(:user, state: :blocked) } + + it 'does not allow impersonation' do + post :create, id: blocked_user.username + + expect(flash[:alert]).to eq 'You cannot impersonate a blocked user' + end + end +end diff --git a/spec/features/admin/admin_users_spec.rb b/spec/features/admin/admin_users_spec.rb index 86f01faffb4..4570e409128 100644 --- a/spec/features/admin/admin_users_spec.rb +++ b/spec/features/admin/admin_users_spec.rb @@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do expect(page).not_to have_content('Impersonate') end + + it 'should not show impersonate button for blocked user' do + another_user.block + + visit admin_user_path(another_user) + + expect(page).not_to have_content('Impersonate') + + another_user.activate + end end context 'when impersonating' do |