diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:14:30 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:14:30 +0000 |
commit | 4d243f5ca3709f28f9de96937e3c2ac736deb4bd (patch) | |
tree | 1497701e95f387e46db5311ca12be41c00fed836 /app/controllers | |
parent | 516fba52cf280b9d5bad08dce9f0150f859b6cea (diff) | |
download | gitlab-ce-4d243f5ca3709f28f9de96937e3c2ac736deb4bd.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/admin/users_controller.rb | 21 | ||||
-rw-r--r-- | app/controllers/profiles/emails_controller.rb | 12 | ||||
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/registrations_controller.rb | 10 |
4 files changed, 42 insertions, 2 deletions
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 050f83edacb..e19b09e1324 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -5,6 +5,7 @@ class Admin::UsersController < Admin::ApplicationController before_action :user, except: [:index, :new, :create] before_action :check_impersonation_availability, only: :impersonate + before_action :ensure_destroy_prerequisites_met, only: [:destroy] def index @users = User.filter_items(params[:filter]).order_name_asc @@ -173,7 +174,7 @@ class Admin::UsersController < Admin::ApplicationController end def destroy - user.delete_async(deleted_by: current_user, params: params.permit(:hard_delete)) + user.delete_async(deleted_by: current_user, params: destroy_params) respond_to do |format| format.html { redirect_to admin_users_path, status: :found, notice: _("The user is being deleted.") } @@ -202,6 +203,24 @@ class Admin::UsersController < Admin::ApplicationController user != current_user end + def destroy_params + params.permit(:hard_delete) + end + + def ensure_destroy_prerequisites_met + return if hard_delete? + + if user.solo_owned_groups.present? + message = s_('AdminUsers|You must transfer ownership or delete the groups owned by this user before you can delete their account') + + redirect_to admin_user_path(user), status: :see_other, alert: message + end + end + + def hard_delete? + destroy_params[:hard_delete] + end + def user @user ||= find_routable!(User, params[:id]) end diff --git a/app/controllers/profiles/emails_controller.rb b/app/controllers/profiles/emails_controller.rb index f666a1150a6..da553e34ef6 100644 --- a/app/controllers/profiles/emails_controller.rb +++ b/app/controllers/profiles/emails_controller.rb @@ -2,6 +2,8 @@ class Profiles::EmailsController < Profiles::ApplicationController before_action :find_email, only: [:destroy, :resend_confirmation_instructions] + before_action -> { rate_limit!(:profile_add_new_email) }, only: [:create] + before_action -> { rate_limit!(:profile_resend_email_confirmation) }, only: [:resend_confirmation_instructions] def index @primary_email = current_user.email @@ -38,6 +40,16 @@ class Profiles::EmailsController < Profiles::ApplicationController private + def rate_limit!(action) + rate_limiter = ::Gitlab::ApplicationRateLimiter + + if rate_limiter.throttled?(action, scope: current_user) + rate_limiter.log_request(request, action, current_user) + + redirect_back_or_default(options: { alert: _('This action has been performed too many times. Try again later.') }) + end + end + def email_params params.require(:email).permit(:email) end diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index 69a3898af55..29f1e4bfd44 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -12,6 +12,7 @@ class Projects::RawController < Projects::ApplicationController before_action :authorize_download_code! before_action :show_rate_limit, only: [:show], unless: :external_storage_request? before_action :assign_ref_vars + before_action :no_cache_headers, only: [:show] before_action :redirect_to_external_storage, only: :show, if: :static_objects_external_storage_enabled? def show diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb index a1252c68403..204520a3e71 100644 --- a/app/controllers/registrations_controller.rb +++ b/app/controllers/registrations_controller.rb @@ -10,7 +10,7 @@ class RegistrationsController < Devise::RegistrationsController skip_before_action :required_signup_info, :check_two_factor_requirement, only: [:welcome, :update_registration] prepend_before_action :check_captcha, only: :create - before_action :whitelist_query_limiting, only: [:destroy] + before_action :whitelist_query_limiting, :ensure_destroy_prerequisites_met, only: [:destroy] before_action :ensure_terms_accepted, if: -> { action_name == 'create' && Gitlab::CurrentSettings.current_application_settings.enforce_terms? } before_action :load_recaptcha, only: :new @@ -124,6 +124,14 @@ class RegistrationsController < Devise::RegistrationsController private + def ensure_destroy_prerequisites_met + if current_user.solo_owned_groups.present? + redirect_to profile_account_path, + status: :see_other, + alert: s_('Profiles|You must transfer ownership or delete groups you are an owner of before you can delete your account') + end + end + def user_created_message(confirmed: false) "User Created: username=#{resource.username} email=#{resource.email} ip=#{request.remote_ip} confirmed:#{confirmed}" end |