Block access to API & git when terms are enforced

When terms are enforced, but the user has not accepted the terms
access to the API & git is rejected with a message directing the user
to the web app to accept the terms.

3 files changed, 46 insertions, 5 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index c2113551207..c17089759de 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -45,7 +45,9 @@ module API
         user = find_user_from_sources
         return unless user
 
-        forbidden!('User is blocked') unless Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
+        unless api_access_allowed?(user)
+          forbidden!(api_access_denied_message(user))
+        end
 
         user
       end
@@ -72,6 +74,14 @@ module API
             end
           end
       end
+
+      def api_access_allowed?(user)
+        Gitlab::UserAccess.new(user).allowed? && user.can?(:access_api)
+      end
+
+      def api_access_denied_message(user)
+        Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
+      end
     end
 
     module ClassMethods
diff --git a/lib/gitlab/auth/user_access_denied_reason.rb b/lib/gitlab/auth/user_access_denied_reason.rb
new file mode 100644
index 00000000000..af310aa12fc
--- /dev/null
+++ b/lib/gitlab/auth/user_access_denied_reason.rb
@@ -0,0 +1,33 @@
+module Gitlab
+  module Auth
+    class UserAccessDeniedReason
+      def initialize(user)
+        @user = user
+      end
+
+      def rejection_message
+        case rejection_type
+        when :internal
+          'This action cannot be performed by internal users'
+        when :terms_not_accepted
+          'You must accept the Terms of Service in order to perform this action. '\
+          'Please access GitLab from a web browser to accept these terms.'
+        else
+          'Your account has been blocked.'
+        end
+      end
+
+      private
+
+      def rejection_type
+        if @user.internal?
+          :internal
+        elsif @user.required_terms_not_accepted?
+          :terms_not_accepted
+        else
+          :blocked
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 0d1ee73ca1a..520b92a0363 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -2,8 +2,6 @@
 # class return an instance of `GitlabAccessStatus`
 module Gitlab
   class GitAccess
-    include Gitlab::Utils::StrongMemoize
-
     UnauthorizedError = Class.new(StandardError)
     NotFoundError = Class.new(StandardError)
     ProjectCreationError = Class.new(StandardError)
@@ -17,7 +15,6 @@ module Gitlab
       deploy_key_upload: 'This deploy key does not have write access to this project.',
       no_repo: 'A repository for this project does not exist yet.',
       project_not_found: 'The project you were looking for could not be found.',
-      account_blocked: 'Your account has been blocked.',
       command_not_allowed: "The command you're trying to execute is not allowed.",
       upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.',
       receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.',
@@ -109,7 +106,8 @@ module Gitlab
 
     def check_active_user!
       if user && !user_access.allowed?
-        raise UnauthorizedError, ERROR_MESSAGES[:account_blocked]
+        message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message
+        raise UnauthorizedError, message
       end
     end