summaryrefslogtreecommitdiff
path: root/app/controllers/sessions_controller.rb
diff options
context:
space:
mode:
authorMaxime Besson <maxime.besson@smile.fr>2017-03-23 14:49:59 +0100
committerRémy Coutable <remy@rymai.me>2017-06-02 20:00:11 +0200
commit9326d896238dd82bf5b8b1a3bc7913b8f03b5c98 (patch)
treec47c4711e1944ebe5f0477e004dd8d8c5c8103b9 /app/controllers/sessions_controller.rb
parent1e8dbd46758d5c9772baf233ebcff889dc742d3d (diff)
downloadgitlab-ce-9326d896238dd82bf5b8b1a3bc7913b8f03b5c98.tar.gz
Allow manual bypass of auto_sign_in_with_providermabes/gitlab-ce-bypass-auto-login
This commit lets a user bypass the automatic signin on the login form, in order to login with a technical (admin, etc) account Closes #3786 Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app/controllers/sessions_controller.rb')
-rw-r--r--app/controllers/sessions_controller.rb6
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 8c6ba4915cd..10806895764 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -90,7 +90,7 @@ class SessionsController < Devise::SessionsController
# Prevent a 'you are already signed in' message directly after signing:
# we should never redirect to '/users/sign_in' after signing in successfully.
- unless redirect_path == new_user_session_path
+ unless URI(redirect_path).path == new_user_session_path
store_location_for(:redirect, redirect_path)
end
end
@@ -103,6 +103,10 @@ class SessionsController < Devise::SessionsController
provider = Gitlab.config.omniauth.auto_sign_in_with_provider
return unless provider.present?
+ # If a "auto_sign_in" query parameter is set to a falsy value, don't auto sign-in.
+ # Otherwise, the default is to auto sign-in.
+ return if Gitlab::Utils.to_boolean(params[:auto_sign_in]) == false
+
# Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
# registered or no alert at all. In case of another alert (such as a blocked user), it is safer
# to do nothing to prevent redirection loops with certain Omniauth providers.