Merge branch 'sh-delete-user-permission-check' into 'master'

Add user deletion permission check in `Users::DestroyService` See merge request !8974
author: Stan Hu <stanhu@gmail.com> 2017-02-21 21:14:02 +0300
committer: Stan Hu <stanhu@gmail.com> 2017-02-21 21:14:02 +0300
commit: 3619c221a13e915537be97603421381ce0e6765f (patch)
tree: 5e8a42ccb646e3e8c95f1342e56362ba2342c84a /app
parent: 5a381e58bf71ff3e588707fa92f46c7b0cb4d9d0 (diff)
parent: e23c803769955d6728ed048112f8ca21e9b58a47 (diff)
2 files changed, 6 insertions, 0 deletions
diff --git a/app/services/users/destroy_service.rb b/app/services/users/destroy_service.rb
index 2d11305be13..bc0653cb634 100644
--- a/app/services/users/destroy_service.rb
+++ b/app/services/users/destroy_service.rb
@@ -7,6 +7,10 @@ module Users
     end
 
     def execute(user, options = {})
+      unless current_user.admin? || current_user == user
+        raise Gitlab::Access::AccessDeniedError, "#{current_user} tried to destroy user #{user}!"
+      end
+
       if !options[:delete_solo_owned_groups] && user.solo_owned_groups.present?
         user.errors[:base] << 'You must transfer ownership or delete groups before you can remove user'
         return user
diff --git a/app/workers/delete_user_worker.rb b/app/workers/delete_user_worker.rb
index 5483bbb210b..3340a7be4fe 100644
--- a/app/workers/delete_user_worker.rb
+++ b/app/workers/delete_user_worker.rb
@@ -7,5 +7,7 @@ class DeleteUserWorker
     current_user = User.find(current_user_id)
 
     Users::DestroyService.new(current_user).execute(delete_user, options.symbolize_keys)
+  rescue Gitlab::Access::AccessDeniedError => e
+    Rails.logger.warn("User could not be destroyed: #{e}")
   end
 end
author	Stan Hu <stanhu@gmail.com>	2017-02-21 21:14:02 +0300
committer	Stan Hu <stanhu@gmail.com>	2017-02-21 21:14:02 +0300
commit	3619c221a13e915537be97603421381ce0e6765f (patch)
tree	5e8a42ccb646e3e8c95f1342e56362ba2342c84a /app
parent	5a381e58bf71ff3e588707fa92f46c7b0cb4d9d0 (diff)
parent	e23c803769955d6728ed048112f8ca21e9b58a47 (diff)