diff options
author | Robert Speicher <robert@gitlab.com> | 2017-07-24 22:42:52 +0000 |
---|---|---|
committer | Mike Greiling <mike@pixelcog.com> | 2017-07-24 22:54:33 -0500 |
commit | 2cde1f45222c55b3c9f50cc7da6d1edb777d8a56 (patch) | |
tree | 559614311aab0a64d0479ec45d9de13c30d6875a | |
parent | e8203a11ad01de5c50147f06de0af0c2cb5a375f (diff) | |
download | gitlab-ce-2cde1f45222c55b3c9f50cc7da6d1edb777d8a56.tar.gz |
Merge branch 'bvl-fix-login-issue-with-ldap-enabled' into 'master'
Load the sessionscontroller after loading the ldap strategies
Closes #35447
See merge request !13049
-rw-r--r-- | app/controllers/sessions_controller.rb | 8 | ||||
-rw-r--r-- | changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml | 5 |
2 files changed, 13 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index f39441a281e..8118a32aeef 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController skip_before_action :check_two_factor_requirement, only: [:destroy] + # Explicitly call protect from forgery before anything else. Otherwise the + # CSFR-token might be cleared before authentication is done. This was the case + # when LDAP was enabled and the `OmniauthCallbacksController` is loaded + # + # *Note:* `prepend: true` is the default for rails4, but this will be changed + # to `prepend: false` in rails5. + protect_from_forgery prepend: true, with: :exception + prepend_before_action :check_initial_setup, only: [:new] prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create] diff --git a/changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml b/changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml new file mode 100644 index 00000000000..a98455d0916 --- /dev/null +++ b/changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml @@ -0,0 +1,5 @@ +--- +title: Fix cross site request protection when logging in as a regular user when LDAP + is enabled +merge_request: 13049 +author: |