From 5510b96617071d2bc6b64a934217678cb2aa0164 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>
Date: Mon, 18 May 2015 11:50:40 +0200
Subject: [PATCH] SONAR-6469 Prevent self-deactivation

---
 .../org/sonar/server/user/ws/DeactivateAction.java    |  4 ++++
 .../sonar/server/user/ws/DeactivateActionTest.java    | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
index 1d154a887f3..620208e8e76 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
@@ -26,6 +26,7 @@ import org.sonar.api.server.ws.WebService;
 import org.sonar.api.server.ws.WebService.NewAction;
 import org.sonar.api.utils.text.JsonWriter;
 import org.sonar.core.permission.GlobalPermissions;
+import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.user.UserSession;
 import org.sonar.server.user.UserUpdater;
 import org.sonar.server.user.index.UserDoc;
@@ -64,6 +65,9 @@ public class DeactivateAction implements UsersWsAction {
     userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN);
 
     String login = request.mandatoryParam(PARAM_LOGIN);
+    if (login.equals(userSession.getLogin())) {
+      throw new BadRequestException("Self-deactivation is not possible");
+    }
     userUpdater.deactivateUserByLogin(login);
 
     writeResponse(response, login);
diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
index 8a1ee1daf74..c251ad45a03 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
@@ -38,6 +38,7 @@ import org.sonar.core.persistence.DbTester;
 import org.sonar.core.user.UserDto;
 import org.sonar.server.db.DbClient;
 import org.sonar.server.es.EsTester;
+import org.sonar.server.exceptions.BadRequestException;
 import org.sonar.server.exceptions.ForbiddenException;
 import org.sonar.server.exceptions.NotFoundException;
 import org.sonar.server.tester.UserSessionRule;
@@ -118,6 +119,16 @@ public class DeactivateActionTest {
     assertThat(user.active()).isFalse();
   }
 
+  @Test(expected = BadRequestException.class)
+  public void cannot_deactivate_self() throws Exception {
+    createUser();
+
+    userSessionRule.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
+    tester.newPostRequest("api/users", "deactivate")
+      .setParam("login", "admin")
+      .execute();
+  }
+
   @Test(expected = ForbiddenException.class)
   public void fail_on_missing_permission() throws Exception {
     createUser();
-- 
2.39.5