diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:53:15 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:53:43 +0000 |
commit | 8a2a8c40a84b97bd1df668b3458cf61cadce1c2a (patch) | |
tree | 838787352e579632098ddc791afe20b5ed856c12 /app/controllers | |
parent | 86842c660b55c74269649851bb694e40367e8bef (diff) | |
download | gitlab-ce-8a2a8c40a84b97bd1df668b3458cf61cadce1c2a.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/profiles/two_factor_auths_controller.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb index 5eb46421583..d1b9485f06d 100644 --- a/app/controllers/profiles/two_factor_auths_controller.rb +++ b/app/controllers/profiles/two_factor_auths_controller.rb @@ -3,6 +3,8 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController skip_before_action :check_two_factor_requirement before_action :ensure_verified_primary_email, only: [:show, :create] + before_action :validate_current_password, only: [:create, :codes, :destroy] + before_action do push_frontend_feature_flag(:webauthn) end @@ -134,6 +136,14 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController private + def validate_current_password + return if current_user.valid_password?(params[:current_password]) + + current_user.increment_failed_attempts! + + redirect_to profile_two_factor_auth_path, alert: _('You must provide a valid current password') + end + def build_qr_code uri = current_user.otp_provisioning_uri(account_string, issuer: issuer_host) RQRCode.render_qrcode(uri, :svg, level: :m, unit: 3) |