Admins should be blocked from impersonating expired accounts
Summary
(Issue split from #332570)
If you impersonate into an expired account, you the loading of the repo browser fails
Steps to reproduce
- Impersonate into an account which is expired (e.g. after changing the password of the account)
- Navigate to a project of the impersonated user
What is the current bug behavior?
Message An error occurred while fetching folder content
appears and an incomplete folder UI is displayed.
What is the expected correct behavior?
Two options:
- Instead of folder browser an error message appears like "Your password has expired. Renew it to see this content.".
- The user cannot even access the page => user can only access their profile, but nothing other (if it is currently not already the case). The Admin can see everything, but get an message, that the user cannot access this site (e.g. in case the admin should be able to check on which projects an expired user had access).
Related to option 2: This may be an extension of MR gitlab-org/security!1446 as maybe an expired user should not see anything (e.g issues, CI, ...) - but didn't tried which access an expired user still has.
Relevant logs and/or screenshots
Proposal
The Impersonate
button for expired users in the Admin Area should be disabled with a tooltip that explains why.
Edited by Marcel van Remmerden