spec/services/users/reject_service_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Users::RejectService do
  let_it_be(:current_user) { create(:admin) }

  let(:user) { create(:user, :blocked_pending_approval) }

  subject(:execute) { described_class.new(current_user).execute(user) }

  describe '#execute' do
    context 'failures' do
      context 'when the executor user is not allowed to reject users' do
        let(:current_user) { create(:user) }

        it 'returns error result' do
          expect(subject[:status]).to eq(:error)
          expect(subject[:message]).to match(/You are not allowed to reject a user/)
        end
      end

      context 'when the executor user is an admin in admin mode', :enable_admin_mode do
        context 'when user is not in pending approval state' do
          let(:user) { create(:user, state: 'active') }

          it 'returns error result' do
            expect(subject[:status]).to eq(:error)
            expect(subject[:message])
              .to match(/User does not have a pending request/)
          end
        end
      end
    end

    context 'success' do
      context 'when the executor user is an admin in admin mode', :enable_admin_mode do
        context 'when user_destroy_with_limited_execution_time_worker is enabled' do
          it 'initiates user removal', :sidekiq_inline do
            subject

            expect(subject[:status]).to eq(:success)
            expect(
              Users::GhostUserMigration.where(user: user,
                                              initiator_user: current_user)
            ).to be_exists
          end
        end

        context 'when user_destroy_with_limited_execution_time_worker is disabled' do
          before do
            stub_feature_flags(user_destroy_with_limited_execution_time_worker: false)
          end

          it 'deletes the user', :sidekiq_inline do
            subject

            expect(subject[:status]).to eq(:success)
            expect { User.find(user.id) }.to raise_error(ActiveRecord::RecordNotFound)
          end
        end

        it 'emails the user on rejection' do
          expect_next_instance_of(NotificationService) do |notification|
            allow(notification).to receive(:user_admin_rejection).with(user.name, user.notification_email_or_default)
          end

          subject
        end

        it 'logs rejection in application logs' do
          allow(Gitlab::AppLogger).to receive(:info)

          subject

          expect(Gitlab::AppLogger).to have_received(:info).with(message: "User instance access request rejected", user: "#{user.username}", email: "#{user.email}", rejected_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
        end
      end
    end

    context 'audit events' do
      context 'when not licensed' do
        before do
          stub_licensed_features(admin_audit_log: false)
        end

        it 'does not log any audit event' do
          expect { subject }.not_to change(AuditEvent, :count)
        end
      end
    end
  end
end