diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:09 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:09 +0000 |
commit | 3dcf3cfde35d1506c7196634080849d002251a41 (patch) | |
tree | 2af98684876c2d91811fd0069de0691060d4270c /app/controllers | |
parent | 38e4977dc7931aea13f496cafd3ed7d15d5ec93e (diff) | |
parent | fab6a50f17d15d21a157d4d561f41527fa943f27 (diff) | |
download | gitlab-ce-3dcf3cfde35d1506c7196634080849d002251a41.tar.gz |
Merge branch 'security-jej/prevent-web-sign-in-bypass' into 'master'
Prevent password sign in restriction bypass
See merge request gitlab/gitlabhq!2702
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/sessions_controller.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 6fea61cf45d..a841859621e 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -18,6 +18,7 @@ class SessionsController < Devise::SessionsController prepend_before_action :store_redirect_uri, only: [:new] prepend_before_action :ldap_servers, only: [:new, :create] prepend_before_action :require_no_authentication_without_flash, only: [:new, :create] + prepend_before_action :ensure_password_authentication_enabled!, if: :password_based_login?, only: [:create] before_action :auto_sign_in_with_provider, only: [:new] before_action :load_recaptcha @@ -138,6 +139,14 @@ class SessionsController < Devise::SessionsController end # rubocop: enable CodeReuse/ActiveRecord + def ensure_password_authentication_enabled! + render_403 unless Gitlab::CurrentSettings.password_authentication_enabled_for_web? + end + + def password_based_login? + user_params[:login].present? || user_params[:password].present? + end + def user_params params.require(:user).permit(:login, :password, :remember_me, :otp_attempt, :device_response) end |