Validate user limit when trying to activate user

oliverguenther · oliverguenther · commit f41c5e6f80d1 · 2026-04-17T09:04:59.000+02:00
diff --git a/app/contracts/users/update_contract.rb b/app/contracts/users/update_contract.rb
@@ -32,6 +32,7 @@ module Users
   class UpdateContract < BaseContract
     validate :user_allowed_to_update
     validate :at_least_one_admin_is_active
+    validate :user_limit_not_exceeded
 
     ##
     # Users can only be updated when
@@ -60,6 +61,12 @@ def at_least_one_admin_is_active
       end
     end
 
+    def user_limit_not_exceeded
+      if activating_user? && OpenProject::Enterprise.user_limit_reached?
+        errors.add :base, :user_limit_reached
+      end
+    end
+
     def editing_themself?
       user == model
     end
@@ -69,5 +76,9 @@ def editing_themself?
     def can_manage_user?
       user.allowed_globally?(:manage_user) && (user.admin? || !model.admin?)
     end
+
+    def activating_user?
+      model.status_changed? && model.active?
+    end
   end
 end
diff --git a/spec/contracts/users/update_contract_spec.rb b/spec/contracts/users/update_contract_spec.rb
@@ -126,6 +126,30 @@
         it_behaves_like "contract is valid"
       end
 
+      context "when user limit is reached" do
+        before do
+          allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_return(true)
+        end
+
+        context "when activating a previously inactive user" do
+          let(:attributes) { super().merge(status: Principal.statuses[:locked]) }
+
+          before do
+            user.status = Principal.statuses[:active]
+          end
+
+          it_behaves_like "contract is invalid", base: :user_limit_reached
+        end
+
+        context "when updating an already active user" do
+          before do
+            user.mail = "a.new@email.address"
+          end
+
+          it_behaves_like "contract is valid"
+        end
+      end
+
       context "when updated user authenticates through LDAP and basic attributes are changed" do
         let(:attributes) { super().merge(ldap_auth_source_id: create(:ldap_auth_source).id) }
 
diff --git a/spec/requests/api/v3/user/update_user_resource_spec.rb b/spec/requests/api/v3/user/update_user_resource_spec.rb
@@ -276,6 +276,22 @@ def send_request
 
     it_behaves_like "update flow"
 
+    describe "activation when the user limit is reached" do
+      let(:parameters) { { status: "active" } }
+
+      before do
+        user.locked!
+        allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_return(true)
+      end
+
+      it "returns an error and does not activate the user" do
+        send_request
+
+        expect(last_response).to have_http_status(:unprocessable_entity)
+        expect(user.reload).to be_locked
+      end
+    end
+
     describe "password update" do
       let(:password) { "my!new!password123" }
       let(:parameters) { { password: } }
