diff options
| author | Stan Hu <stanhu@gmail.com> | 2017-02-04 11:14:17 +0300 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2017-02-20 19:19:11 +0300 |
| commit | e23c803769955d6728ed048112f8ca21e9b58a47 (patch) | |
| tree | 9e184ee7f60d891cc9be7e2f561d5189c4942192 /app/workers | |
| parent | fbbbf1e4e77768a40b835455f17749384f7c4984 (diff) | |
Add user deletion permission check in `Users::DestroyService`
We saw from a recent incident that the `Users::DestroyService` would
attempt to delete a user over and over. Revoking the permissions
from the current user did not help. We should ensure that the
current user does, in fact, have permissions to delete the user.
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app/workers')
| -rw-r--r-- | app/workers/delete_user_worker.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/workers/delete_user_worker.rb b/app/workers/delete_user_worker.rb index 5483bbb210b..3340a7be4fe 100644 --- a/app/workers/delete_user_worker.rb +++ b/app/workers/delete_user_worker.rb @@ -7,5 +7,7 @@ class DeleteUserWorker current_user = User.find(current_user_id) Users::DestroyService.new(current_user).execute(delete_user, options.symbolize_keys) + rescue Gitlab::Access::AccessDeniedError => e + Rails.logger.warn("User could not be destroyed: #{e}") end end |