diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-31 11:40:33 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-31 11:40:33 +0000 |
| commit | e4ba22dbf0dcc7d5a7ab6c0627ed0f799fa49d49 (patch) | |
| tree | ac5c8bae3b4b3a7105700a008c5722e88c92613b | |
| parent | 3ccd42374254fb4fea506382561374c18de8dc1c (diff) | |
| download | gitlab-ce-e4ba22dbf0dcc7d5a7ab6c0627ed0f799fa49d49.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee
| -rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 3 | ||||
| -rw-r--r-- | app/views/doorkeeper/authorizations/redirect.html.haml | 9 | ||||
| -rw-r--r-- | locale/gitlab.pot | 3 | ||||
| -rw-r--r-- | spec/controllers/oauth/authorizations_controller_spec.rb | 22 |
4 files changed, 34 insertions, 3 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 857f36e3833..ddf70c1892a 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -14,8 +14,9 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController if pre_auth.authorizable? if skip_authorization? || matching_token? auth = authorization.authorize + parsed_redirect_uri = URI.parse(auth.redirect_uri) session.delete(:user_return_to) - redirect_to auth.redirect_uri + render "doorkeeper/authorizations/redirect", locals: { redirect_uri: parsed_redirect_uri }, layout: false else render "doorkeeper/authorizations/new" end diff --git a/app/views/doorkeeper/authorizations/redirect.html.haml b/app/views/doorkeeper/authorizations/redirect.html.haml new file mode 100644 index 00000000000..d2845bbc97a --- /dev/null +++ b/app/views/doorkeeper/authorizations/redirect.html.haml @@ -0,0 +1,9 @@ +%h3.page-title= _("Redirecting") + +%div + -# haml-lint:disable NoPlainNodes + %a{ :href => redirect_uri } Click here to redirect to #{redirect_uri} + -# haml-lint:enable NoPlainNodes + +:javascript + window.location= "#{redirect_uri}"; diff --git a/locale/gitlab.pot b/locale/gitlab.pot index ae9f014fa09..f15ad6b8a23 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -25020,6 +25020,9 @@ msgstr "" msgid "Redirect to SAML provider to test configuration" msgstr "" +msgid "Redirecting" +msgstr "" + msgid "Redis" msgstr "" diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb index 2df94a06b3e..549e7829c82 100644 --- a/spec/controllers/oauth/authorizations_controller_spec.rb +++ b/spec/controllers/oauth/authorizations_controller_spec.rb @@ -70,12 +70,29 @@ RSpec.describe Oauth::AuthorizationsController do describe 'GET #new' do subject { get :new, params: params } - include_examples 'OAuth Authorizations require confirmed user' include_examples "Implicit grant can't be used in confidential application" context 'when the user is confirmed' do let(:confirmed_at) { 1.hour.ago } + context 'when there is already an access token for the application with a matching scope' do + before do + scopes = Doorkeeper::OAuth::Scopes.from_string('api') + + allow(Doorkeeper.configuration).to receive(:scopes).and_return(scopes) + + create(:oauth_access_token, application: application, resource_owner_id: user.id, scopes: scopes) + end + + it 'authorizes the request and shows the user a page that redirects' do + subject + + expect(request.session['user_return_to']).to be_nil + expect(response).to have_gitlab_http_status(:ok) + expect(response).to render_template('doorkeeper/authorizations/redirect') + end + end + context 'without valid params' do it 'returns 200 code and renders error view' do get :new @@ -102,7 +119,8 @@ RSpec.describe Oauth::AuthorizationsController do subject expect(request.session['user_return_to']).to be_nil - expect(response).to have_gitlab_http_status(:found) + expect(response).to have_gitlab_http_status(:ok) + expect(response).to render_template('doorkeeper/authorizations/redirect') end end end |