Auditor users unable to view blocked users via the list users API endpoint

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Original Summary

Proposal

Auditor users are able to access the List Users API endpoint. The documentation seems to suggest that for non admin users, the blocked parameter is set to false by default, which allows for listing all users and not only blocked users. This works as expected for admin users.

Upon further testing, auditor users are unable to list blocked users with either:

  • http(s)://<instance-url>/api/v4/users - should return blocked users as well as active users
  • http(s)://<instance-url>/api/v4/users?blocked=true - should return blocked users.

This has come up in a ticket linked below for other GitLab Team Members who have access.

ZD Ticket - internal only

It would be helpful for auditor users to be able to view blocked users using the List users API endpoint.

Summary

Auditor users are able to access the List Users API endpoint per the documentation.

When using the API to retrieve blocked users, only admin users can see blocked users.

Auditor users cannot view blocked users, even when using query parameters like blocked=true. This behaviour contradicts the API documentation, which suggests that non-admin users should be able to list blocked users.

Upon further testing, auditor users are unable to list blocked users with either:

  • http(s)://<instance-url>/api/v4/users - should return blocked users as well as active users
  • http(s)://<instance-url>/api/v4/users?blocked=true - should return blocked users.

Steps to Reproduce

  1. Log in as a non-admin user (auditor or regular user)
  2. Attempt to list blocked users via:
    • http(s)://<instance-url>/api/v4/users
    • http(s)://<instance-url>/api/v4/users?blocked=true

What is the current bug behaviour?

  • Only admin users can see blocked users in the response of the above API endpoints
  • Auditor users cannot see blocked users, even with the blocked=true parameter

What is the expected correct behaviour?

Auditor users should be able to see blocked users using the blocked=true parameter in the List Users API as suggested by the documentation

Internal Tickets & Concerns

ZD Ticket - internal only

Edited by 🤖 GitLab Bot 🤖