diff options
author | Nick Thomas <nick@gitlab.com> | 2019-03-20 16:08:05 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-03-20 16:08:05 +0000 |
commit | 4249eac3058fbc57724feb04b98a547732ca5959 (patch) | |
tree | 64fdca86085444bfb4b9b30760256705e2c84666 /app/controllers | |
parent | 9820cdaf8e985c338ecbd4c6659479551a7518f7 (diff) | |
parent | 8ee1927db90d43205b4e6f8bd13f209c74b41bd1 (diff) | |
download | gitlab-ce-4249eac3058fbc57724feb04b98a547732ca5959.tar.gz |
Merge branch 'create-identity-provider-policy' into 'master'
Move out link\unlink ability checks to a policy
See merge request gitlab-org/gitlab-ce!26278
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/omniauth_callbacks_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/profiles/accounts_controller.rb | 2 |
2 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index cc2bb99f55b..e90e8278c13 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -3,6 +3,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController include AuthenticatesWithTwoFactor include Devise::Controllers::Rememberable + include AuthHelper protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true @@ -80,10 +81,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController end if current_user + return render_403 unless link_provider_allowed?(oauth['provider']) + log_audit_event(current_user, with: oauth['provider']) identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth) - identity_linker.link if identity_linker.changed? diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb index b0d65f284af..0d2a6145d0e 100644 --- a/app/controllers/profiles/accounts_controller.rb +++ b/app/controllers/profiles/accounts_controller.rb @@ -14,7 +14,7 @@ class Profiles::AccountsController < Profiles::ApplicationController return render_404 unless identity - if unlink_allowed?(provider) + if unlink_provider_allowed?(provider) identity.destroy else flash[:alert] = "You are not allowed to unlink your primary login account" |