summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tomaka <atomaka@gmail.com>2015-12-01 23:40:24 -0500
committerAndrew Tomaka <atomaka@gmail.com>2015-12-02 08:07:29 -0500
commitdaca985a6e75d6f43c5cc5b487a0942d5bf93f68 (patch)
tree579e8734014953e8aaa1c784cd4a857e50c6ed79
parent09e712c0fb721059e4b2619eb9fc104257fc492d (diff)
downloadgitlab-ce-daca985a6e75d6f43c5cc5b487a0942d5bf93f68.tar.gz
Prevent impersonation if blocked
-rw-r--r--app/controllers/admin/impersonation_controller.rb16
-rw-r--r--app/views/admin/users/_head.html.haml2
-rw-r--r--spec/controllers/admin/impersonation_controller_spec.rb19
-rw-r--r--spec/features/admin/admin_users_spec.rb10
4 files changed, 41 insertions, 6 deletions
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index 0382402afa6..102dd437402 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
before_action :authorize_impersonator!
def create
- session[:impersonator_id] = current_user.username
- session[:impersonator_return_to] = request.env['HTTP_REFERER']
+ if @user.blocked?
+ flash[:alert] = "You cannot impersonate a blocked user"
- warden.set_user(user, scope: 'user')
+ redirect_to admin_user_path(@user)
+ else
+ session[:impersonator_id] = current_user.username
+ session[:impersonator_return_to] = request.env['HTTP_REFERER']
+
+ warden.set_user(user, scope: 'user')
- flash[:alert] = "You are impersonating #{user.username}."
+ flash[:alert] = "You are impersonating #{user.username}."
- redirect_to root_path
+ redirect_to root_path
+ end
end
def destroy
diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml
index 8d1cab4137c..5e17b018163 100644
--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -6,7 +6,7 @@
%span.cred (Admin)
.pull-right
- - unless @user == current_user
+ - unless @user == current_user || @user.blocked?
= link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
= link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
%i.fa.fa-pencil-square-o
diff --git a/spec/controllers/admin/impersonation_controller_spec.rb b/spec/controllers/admin/impersonation_controller_spec.rb
new file mode 100644
index 00000000000..d7a7ba1c5b6
--- /dev/null
+++ b/spec/controllers/admin/impersonation_controller_spec.rb
@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Admin::ImpersonationController do
+ let(:admin) { create(:admin) }
+
+ before do
+ sign_in(admin)
+ end
+
+ describe 'CREATE #impersonation when blocked' do
+ let(:blocked_user) { create(:user, state: :blocked) }
+
+ it 'does not allow impersonation' do
+ post :create, id: blocked_user.username
+
+ expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
+ end
+ end
+end
diff --git a/spec/features/admin/admin_users_spec.rb b/spec/features/admin/admin_users_spec.rb
index 86f01faffb4..4570e409128 100644
--- a/spec/features/admin/admin_users_spec.rb
+++ b/spec/features/admin/admin_users_spec.rb
@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do
expect(page).not_to have_content('Impersonate')
end
+
+ it 'should not show impersonate button for blocked user' do
+ another_user.block
+
+ visit admin_user_path(another_user)
+
+ expect(page).not_to have_content('Impersonate')
+
+ another_user.activate
+ end
end
context 'when impersonating' do