Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

1 files changed, 10 insertions, 0 deletions

diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 5eb46421583..d1b9485f06d 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -3,6 +3,8 @@
 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   skip_before_action :check_two_factor_requirement
   before_action :ensure_verified_primary_email, only: [:show, :create]
+  before_action :validate_current_password, only: [:create, :codes, :destroy]
+
   before_action do
     push_frontend_feature_flag(:webauthn)
   end
@@ -134,6 +136,14 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
 
   private
 
+  def validate_current_password
+    return if current_user.valid_password?(params[:current_password])
+
+    current_user.increment_failed_attempts!
+
+    redirect_to profile_two_factor_auth_path, alert: _('You must provide a valid current password')
+  end
+
   def build_qr_code
     uri = current_user.otp_provisioning_uri(account_string, issuer: issuer_host)
     RQRCode.render_qrcode(uri, :svg, level: :m, unit: 3)