Incorrect Error Message when API returns 403

Bug Report

When trying to block a user via API users/:id/block I received a

Cannot block a user that is already blocked by LDAP synchronization

This was really annoying as my GitLab instance does not use LDAP but AzureAD. I spend a lot of time, trying to understand where was the misconfiguration on the server.

Relevant Code

And finally, I discovered that the error message is not generated by the server, but by the client. See https://gitlab.com/gitlab-org/api/client-go/blob/main/users.go?ref_type=heads#L109-109

It is emitted when server returns 403: https://gitlab.com/gitlab-org/api/client-go/blob/main/users.go?ref_type=heads#L1114-1114

In my case, the real issue was a token with read-only permissions. Thus, the 403 was correct, from the server side, and has nothing to do with LDAP.

I would suggest to change the error processing.

Note: the response returned by the server contains:

{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"read_user ai_workflows api read_api"}

Edited Nov 19, 2025 by 🤖 GitLab Bot 🤖

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information