MM 57516 - deactivate actions to ldap users (mattermost#28199)

* MM-57516 - restrict activation/deactivation over ldap users * Add unit tests * refactor test to unify repeated actions * add disable actions in user details too * migrate test to use react-testing-library * add new ldap user test and fix other existing tests * restrict ldap users status management via api * use correct server status and update tests --------- Co-authored-by: Mattermost Build <[email protected]>
Aryakoste · Oct 9, 2024 · 6cafd45 · 6cafd45
1 parent ac38f5f
commit 6cafd45
Show file tree

Hide file tree

Showing 10 changed files with 1,360 additions and 798 deletions.
diff --git a/server/channels/api4/user.go b/server/channels/api4/user.go
@@ -1540,6 +1540,11 @@ func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if user.AuthService == model.UserAuthServiceLdap {
+		c.Err = model.NewAppError("updateUserActive", "api.user.update_active.cannot_modify_status_when_user_is_managed_by_ldap.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden)
+		return
+	}
+
 	if _, err = c.App.UpdateActive(c.AppContext, user, active); err != nil {
 		c.Err = err
 		return

diff --git a/server/channels/api4/user_test.go b/server/channels/api4/user_test.go
@@ -2684,6 +2684,31 @@ func TestUpdateUserActive(t *testing.T) {
 			require.NoError(t, err)
 		})
 	})
+
+	t.Run("update active status of LDAP user should fail", func(t *testing.T) {
+		th := Setup(t).InitBasic()
+		defer th.TearDown()
+
+		ldapUser := &model.User{
+			Email:         "[email protected]",
+			Username:      "ldapuser",
+			Password:      "Password123",
+			AuthService:   model.UserAuthServiceLdap,
+			EmailVerified: true,
+		}
+		user, appErr := th.App.CreateUser(th.Context, ldapUser)
+		require.Nil(t, appErr)
+
+		th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) {
+			resp, err := client.UpdateUserActive(context.Background(), user.Id, false)
+			require.Error(t, err)
+			CheckForbiddenStatus(t, resp)
+
+			resp, err = client.UpdateUserActive(context.Background(), user.Id, true)
+			require.Error(t, err)
+			CheckForbiddenStatus(t, resp)
+		})
+	})
 }
 
 func TestGetUsers(t *testing.T) {

diff --git a/server/i18n/en.json b/server/i18n/en.json
@@ -4178,6 +4178,10 @@
     "id": "api.user.update_active.cannot_enable_guest_when_guest_feature_is_disabled.app_error",
     "translation": "You cannot activate a guest account because Guest Access feature is not enabled."
   },
+  {
+    "id": "api.user.update_active.cannot_modify_status_when_user_is_managed_by_ldap.app_error",
+    "translation": "You cannot modify user status. User is managed by LDAP"
+  },
   {
     "id": "api.user.update_active.not_enable.app_error",
     "translation": "You cannot deactivate yourself because this feature is not enabled. Please contact your System Administrator."