SONAR-6469 Prevent self-deactivation

author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Mon, 18 May 2015 09:50:40 +0000 (11:50 +0200)

committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>

Mon, 18 May 2015 13:04:17 +0000 (15:04 +0200)
author Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Mon, 18 May 2015 09:50:40 +0000 (11:50 +0200)
committer Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Mon, 18 May 2015 13:04:17 +0000 (15:04 +0200)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java

index 1d154a887f3aa2d8bc366005389c0309bb8f8550..620208e8e76e5127d4d65035ba0224eecbcba278 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
@@ -26,6 +26,7 @@ import org.sonar.api.server.ws.WebService;
  import org.sonar.api.server.ws.WebService.NewAction;
  import org.sonar.api.utils.text.JsonWriter;
  import org.sonar.core.permission.GlobalPermissions;
+import org.sonar.server.exceptions.BadRequestException;
  import org.sonar.server.user.UserSession;
  import org.sonar.server.user.UserUpdater;
  import org.sonar.server.user.index.UserDoc;
@@ -64,6 +65,9 @@ public class DeactivateAction implements UsersWsAction {
      userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
  
      String login = request.mandatoryParam(PARAM_LOGIN);
+    if (login.equals(userSession.getLogin())) {
+      throw new BadRequestException("Self-deactivation is not possible");
+    }
      userUpdater.deactivateUserByLogin(login);
  
      writeResponse(response, login);
diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java

index 8a1ee1daf748c5287f71cea6018ff5a6415fee10..c251ad45a03e20cbcd182741354acedcbca61b6d 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
@@ -38,6 +38,7 @@ import org.sonar.core.persistence.DbTester;
  import org.sonar.core.user.UserDto;
  import org.sonar.server.db.DbClient;
  import org.sonar.server.es.EsTester;
+import org.sonar.server.exceptions.BadRequestException;
  import org.sonar.server.exceptions.ForbiddenException;
  import org.sonar.server.exceptions.NotFoundException;
  import org.sonar.server.tester.UserSessionRule;
@@ -118,6 +119,16 @@ public class DeactivateActionTest {
      assertThat(user.active()).isFalse();
    }
  
+  @Test(expected = BadRequestException.class)
+  public void cannot_deactivate_self() throws Exception {
+    createUser();
+
+    userSessionRule.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
+    tester.newPostRequest("api/users", "deactivate")
+      .setParam("login", "admin")
+      .execute();
+  }
+
    @Test(expected = ForbiddenException.class)
    public void fail_on_missing_permission() throws Exception {
      createUser();
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Mon, 18 May 2015 09:50:40 +0000 (11:50 +0200)
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
	Mon, 18 May 2015 13:04:17 +0000 (15:04 +0200)
server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java		patch \| blob \| history