diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:21:00 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-06 19:21:00 +0000 |
commit | fa70ce1068babe592d348497c772f1b5160cbb6e (patch) | |
tree | 88e00024a01cd6464afc88150a378f3e1de5bc7e /app/controllers | |
parent | bd200951d7e928b84bd5b4ef1210a56d688a03c9 (diff) | |
download | gitlab-ce-fa70ce1068babe592d348497c772f1b5160cbb6e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 6e8686ee90b..ade698baa7f 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -24,6 +24,17 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end end + def create + # Confidential apps require the client_secret to be sent with the request. + # Doorkeeper allows implicit grant flow requests (response_type=token) to + # work without client_secret regardless of the confidential setting. + if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential + render "doorkeeper/authorizations/error" + else + super + end + end + private def verify_confirmed_email! |