APIv4 PUT /users/{user_id}/active (#6118)

api4/user.go

@@ -32,6 +32,7 @@ func InitUser() {
 	BaseRoutes.User.Handle("/patch", ApiSessionRequired(patchUser)).Methods("PUT")
 	BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE")
 	BaseRoutes.User.Handle("/roles", ApiSessionRequired(updateUserRoles)).Methods("PUT")
+	BaseRoutes.User.Handle("/active", ApiSessionRequired(updateUserActive)).Methods("PUT")
 	BaseRoutes.User.Handle("/password", ApiSessionRequired(updatePassword)).Methods("PUT")
 	BaseRoutes.Users.Handle("/password/reset", ApiHandler(resetPassword)).Methods("POST")
 	BaseRoutes.Users.Handle("/password/reset/send", ApiHandler(sendPasswordReset)).Methods("POST")
@@ -587,6 +588,37 @@ func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) {
 	ReturnStatusOK(w)
 }
 
+func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	props := model.StringInterfaceFromJson(r.Body)
+
+	active, ok := props["active"].(bool)
+	if !ok {
+		c.SetInvalidParam("active")
+		return
+	}
+
+	// true when you're trying to de-activate yourself
+	isSelfDeactive := !active && c.Params.UserId == c.Session.UserId
+
+	if !isSelfDeactive && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.Err = model.NewLocAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId)
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
+
+	if ruser, err := app.UpdateActiveNoLdap(c.Params.UserId, active); err != nil {
+		c.Err = err
+	} else {
+		c.LogAuditWithUserId(ruser.Id, fmt.Sprintf("active=%v", active))
+		ReturnStatusOK(w)
+	}
+}
+
 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 

api4/user_test.go

@@ -850,6 +850,49 @@ func TestUpdateUserRoles(t *testing.T) {
 	CheckBadRequestStatus(t, resp)
 }
 
+func TestUpdateUserActive(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	Client := th.Client
+	SystemAdminClient := th.SystemAdminClient
+	user := th.BasicUser
+
+	pass, resp := Client.UpdateUserActive(user.Id, false)
+	CheckNoError(t, resp)
+
+	if !pass {
+		t.Fatal("should have returned true")
+	}
+
+	pass, resp = Client.UpdateUserActive(user.Id, false)
+	CheckUnauthorizedStatus(t, resp)
+
+	if pass {
+		t.Fatal("should have returned false")
+	}
+
+	th.LoginBasic2()
+
+	_, resp = Client.UpdateUserActive(user.Id, true)
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = Client.UpdateUserActive(GenerateTestId(), true)
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = Client.UpdateUserActive("junk", true)
+	CheckBadRequestStatus(t, resp)
+
+	Client.Logout()
+
+	_, resp = Client.UpdateUserActive(user.Id, true)
+	CheckUnauthorizedStatus(t, resp)
+
+	_, resp = SystemAdminClient.UpdateUserActive(user.Id, true)
+	CheckNoError(t, resp)
+
+	_, resp = SystemAdminClient.UpdateUserActive(user.Id, false)
+	CheckNoError(t, resp)
+}
+
 func TestGetUsers(t *testing.T) {
 	th := Setup().InitBasic()
 	defer TearDown()

model/client4.go

@@ -693,6 +693,19 @@ func (c *Client4) UpdateUserRoles(userId, roles string) (bool, *Response) {
 	}
 }
 
+// UpdateUserActive updates status of a user whether active or not.
+func (c *Client4) UpdateUserActive(userId string, active bool) (bool, *Response) {
+	requestBody := make(map[string]interface{})
+	requestBody["active"] = active
+
+	if r, err := c.DoApiPut(c.GetUserRoute(userId)+"/active", StringInterfaceToJson(requestBody)); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
 // DeleteUser deactivates a user in the system based on the provided user id string.
 func (c *Client4) DeleteUser(userId string) (bool, *Response) {
 	if r, err := c.DoApiDelete(c.GetUserRoute(userId)); err != nil {