diff options
| author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2014-11-04 08:47:18 +0000 | 
|---|---|---|
| committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2014-11-04 08:47:18 +0000 | 
| commit | 5cab9d6fd88eecbac52424e3b392e7b75d98507b (patch) | |
| tree | f319817c2c78e923a0ee781d5b879a615a9f0ca1 | |
| parent | d7c50b4a95b5530ae0e2f5249cfd9a419dd940c6 (diff) | |
| parent | e1c48f1431b5f7232747e608ee721b076765f12f (diff) | |
| download | gitlab-ce-5cab9d6fd88eecbac52424e3b392e7b75d98507b.tar.gz | |
Merge branch 'jastkand/gitlab-ce-fix-api-auth' into 'master'
Jastkand/gitlab ce fix api auth
Fixes https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/209
See merge request !1232
| -rw-r--r-- | CHANGELOG | 3 | ||||
| -rw-r--r-- | app/models/user.rb | 5 | ||||
| -rw-r--r-- | lib/gitlab/auth.rb | 2 | ||||
| -rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 10 | ||||
| -rw-r--r-- | spec/models/user_spec.rb | 14 | ||||
| -rw-r--r-- | spec/requests/api/session_spec.rb | 26 | 
6 files changed, 57 insertions, 3 deletions
| diff --git a/CHANGELOG b/CHANGELOG index 5dab8c864e7..ff41575bcc6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,7 @@ v 7.5.0    - Fix LDAP config lookup for provider 'ldap'    - Add Atlassian Bamboo CI service (Drew Blessing)    - Mentioned @user will receive email even if he is not participating in issue or commit +  - Session API: Use case-insensitive authentication like in UI (Andrey Krivko)    - Tie up loose ends with annotated tags: API & UI (Sean Edge)    - Return valid json for deleting branch via API (sponsored by O'Reilly Media)    - Expose username in project events API (sponsored by O'Reilly Media) @@ -52,7 +53,7 @@ v 7.4.0    - Fix ambiguous sha problem with mentioned commit    - Fixed bug with apostrophe when at mentioning users    - Add active directory ldap option -  - Developers can push to wiki repo. Protected branches does not affect wiki repo any more  +  - Developers can push to wiki repo. Protected branches does not affect wiki repo any more    - Faster rev list    - Fix branch removal diff --git a/app/models/user.rb b/app/models/user.rb index 154cc0f3e16..52e63cde6f9 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -226,6 +226,11 @@ class User < ActiveRecord::Base        where("lower(name) LIKE :query OR lower(email) LIKE :query OR lower(username) LIKE :query", query: "%#{query.downcase}%")      end +    def by_login(login) +      where('lower(username) = :value OR lower(email) = :value', +            value: login.to_s.downcase).first +    end +      def by_username_or_id(name_or_id)        where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first      end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index ae33c529b93..30509528b8b 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -1,7 +1,7 @@  module Gitlab    class Auth      def find(login, password) -      user = User.find_by(email: login) || User.find_by(username: login) +      user = User.by_login(login)        # If no user is found, or it's an LDAP server, try LDAP.        #   LDAP users are only authenticated via LDAP diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 1f3e1a4a3c1..95fc7e16a11 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -10,13 +10,21 @@ describe Gitlab::Auth do          password: password,          password_confirmation: password)      end -    let(:username) { 'john' } +    let(:username) { 'John' }     # username isn't lowercase, test this      let(:password) { 'my-secret' }      it "should find user by valid login/password" do        expect( gl_auth.find(username, password) ).to eql user      end +    it 'should find user by valid email/password with case-insensitive email' do +      expect(gl_auth.find(user.email.upcase, password)).to eql user +    end + +    it 'should find user by valid username/password with case-insensitive username' do +      expect(gl_auth.find(username.upcase, password)).to eql user +    end +      it "should not find user with invalid password" do        password = 'wrong'        expect( gl_auth.find(username, password) ).to_not eql user diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 6ad57b06e06..6d865cfc691 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -287,6 +287,20 @@ describe User do      end    end +  describe '.by_login' do +    let(:username) { 'John' } +    let!(:user) { create(:user, username: username) } + +    it 'should get the correct user' do +      expect(User.by_login(user.email.upcase)).to eq user +      expect(User.by_login(user.email)).to eq user +      expect(User.by_login(username.downcase)).to eq user +      expect(User.by_login(username)).to eq user +      expect(User.by_login(nil)).to be_nil +      expect(User.by_login('')).to be_nil +    end +  end +    describe 'all_ssh_keys' do      it { should have_many(:keys).dependent(:destroy) } diff --git a/spec/requests/api/session_spec.rb b/spec/requests/api/session_spec.rb index 013f425d6ce..57b2e6cbd6a 100644 --- a/spec/requests/api/session_spec.rb +++ b/spec/requests/api/session_spec.rb @@ -19,6 +19,32 @@ describe API::API, api: true  do        end      end +    context 'when email has case-typo and password is valid' do +      it 'should return private token' do +        post api('/session'), email: user.email.upcase, password: '12345678' +        expect(response.status).to eq 201 + +        expect(json_response['email']).to eq user.email +        expect(json_response['private_token']).to eq user.private_token +        expect(json_response['is_admin']).to eq user.is_admin? +        expect(json_response['can_create_project']).to eq user.can_create_project? +        expect(json_response['can_create_group']).to eq user.can_create_group? +      end +    end + +    context 'when login has case-typo and password is valid' do +      it 'should return private token' do +        post api('/session'), login: user.username.upcase, password: '12345678' +        expect(response.status).to eq 201 + +        expect(json_response['email']).to eq user.email +        expect(json_response['private_token']).to eq user.private_token +        expect(json_response['is_admin']).to eq user.is_admin? +        expect(json_response['can_create_project']).to eq user.can_create_project? +        expect(json_response['can_create_group']).to eq user.can_create_group? +      end +    end +      context "when invalid password" do        it "should return authentication error" do          post api("/session"), email: user.email, password: '123' | 
