Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-10 20:36:29 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-10 20:36:29 +0000
commit: 1eef146c2d1de19d4e995d421e5787053e50db80 (patch)
tree: 2761efabea712248557826977a849e31e3fdb961 /app/controllers
parent: 661d663ab2b7c69977ba8a0db02ef4afc2427e39 (diff)
download: gitlab-ce-1eef146c2d1de19d4e995d421e5787053e50db80.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index 58e65ba20e2..c6d926c8a8d 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -20,7 +20,7 @@ module SessionlessAuthentication
   end
 
   def sessionless_sign_in(user)
-    if user && can?(user, :log_in)
+    if can?(user, :log_in) && !user.password_expired_if_applicable?
       # Notice we are passing store false, so the user is not
       # actually stored in the session and a token is needed
       # for every request. If you want the token to work as a
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-10 20:36:29 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-10 20:36:29 +0000
commit	1eef146c2d1de19d4e995d421e5787053e50db80 (patch)
tree	2761efabea712248557826977a849e31e3fdb961 /app/controllers
parent	661d663ab2b7c69977ba8a0db02ef4afc2427e39 (diff)
download	gitlab-ce-1eef146c2d1de19d4e995d421e5787053e50db80.tar.gz