feat: don't allow blocking the doer

- In the case of organization blocking users, disallow blocking the doer.
- Resolves #5390
- Added integration test.

options/locale/locale_en-US.ini

@@ -1042,6 +1042,7 @@ visibility.private_tooltip = Visible only to members of organizations you have j
 blocked_since = Blocked since %s
 user_unblock_success = The user has been unblocked successfully.
 user_block_success = The user has been blocked successfully.
+user_block_yourself = You cannot block yourself.
 
 [repo]
 rss.must_be_on_branch = You must be on a branch to have an RSS feed.

routers/web/org/setting/blocked_users.go

@@ -53,6 +53,12 @@ func BlockedUsersBlock(ctx *context.Context) {
 		return
 	}
 
+	if u.ID == ctx.Doer.ID {
+		ctx.Flash.Error(ctx.Tr("settings.user_block_yourself"))
+		ctx.Redirect(ctx.Org.OrgLink + "/settings/blocked_users")
+		return
+	}
+
 	if err := user_service.BlockUser(ctx, ctx.Org.Organization.ID, u.ID); err != nil {
 		ctx.ServerError("BlockUser", err)
 		return

tests/integration/block_test.go

@@ -147,6 +147,20 @@ func TestBlockUserFromOrganization(t *testing.T) {
 			session.MakeRequest(t, req, http.StatusInternalServerError)
 		})
 	})
+
+	t.Run("Block the doer", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/block", map[string]string{
+			"_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"),
+			"uname": doer.Name,
+		})
+		session.MakeRequest(t, req, http.StatusSeeOther)
+		assert.False(t, unittest.BeanExists(t, &user_model.BlockedUser{BlockID: doer.ID, UserID: org.ID}))
+		flashCookie := session.GetCookie(forgejo_context.CookieNameFlash)
+		assert.NotNil(t, flashCookie)
+		assert.EqualValues(t, "error%3DYou%2Bcannot%2Bblock%2Byourself.", flashCookie.Value)
+	})
 }
 
 // TestBlockActions ensures that certain actions cannot be performed as a doer