diff options
author | Patricio Cano <suprnova32@gmail.com> | 2016-07-14 13:19:40 -0500 |
---|---|---|
committer | Patricio Cano <suprnova32@gmail.com> | 2016-07-18 17:52:29 -0500 |
commit | defb8660c08a904a385b584280f72fc6a5a94c6e (patch) | |
tree | 1a93c424e4ad3ffb3d18350fdaaaa6c43879bad1 /app/models | |
parent | 777a080892f710915c8f4d62864813ef388a1873 (diff) | |
download | gitlab-ce-defb8660c08a904a385b584280f72fc6a5a94c6e.tar.gz |
Added the ability to block sign ups using a domain blacklist.
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/application_setting.rb | 35 | ||||
-rw-r--r-- | app/models/user.rb | 40 |
2 files changed, 56 insertions, 19 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index c6f77cc055f..84b1b54eeae 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -9,7 +9,9 @@ class ApplicationSetting < ActiveRecord::Base serialize :import_sources serialize :disabled_oauth_sign_in_sources, Array serialize :restricted_signup_domains, Array - attr_accessor :restricted_signup_domains_raw + serialize :domain_blacklist, Array + + attr_accessor :restricted_signup_domains_raw, :domain_blacklist_raw validates :session_expire_delay, presence: true, @@ -62,6 +64,10 @@ class ApplicationSetting < ActiveRecord::Base validates :enabled_git_access_protocol, inclusion: { in: %w(ssh http), allow_blank: true, allow_nil: true } + validates :domain_blacklist, + presence: true, + if: :domain_blacklist_enabled? + validates_each :restricted_visibility_levels do |record, attr, value| unless value.nil? value.each do |level| @@ -154,18 +160,35 @@ class ApplicationSetting < ActiveRecord::Base self.restricted_signup_domains.join("\n") unless self.restricted_signup_domains.nil? end - def restricted_signup_domains_raw=(values) - self.restricted_signup_domains = [] - self.restricted_signup_domains = values.split( - /\s*[,;]\s* # comma or semicolon, optionally surrounded by whitespace + def domain_blacklist_raw + self.domain_blacklist.join("\n") unless self.domain_blacklist.nil? + end + + def splitter + /\s*[,;]\s* # comma or semicolon, optionally surrounded by whitespace | # or \s # any whitespace character | # or [\r\n] # any number of newline characters - /x) + /x + end + + def restricted_signup_domains_raw=(values) + self.restricted_signup_domains = [] + self.restricted_signup_domains = values.split(splitter) self.restricted_signup_domains.reject! { |d| d.empty? } end + def domain_blacklist_raw=(values) + self.domain_blacklist = [] + self.domain_blacklist = values.split(splitter) + self.domain_blacklist.reject! { |d| d.empty? } + end + + def domain_blacklist_file=(file) + self.domain_blacklist_raw = file.read + end + def runners_registration_token ensure_runners_registration_token! end diff --git a/app/models/user.rb b/app/models/user.rb index 3d0a033785c..b0c5d84fc40 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -111,7 +111,7 @@ class User < ActiveRecord::Base validates :avatar, file_size: { maximum: 200.kilobytes.to_i } before_validation :generate_password, on: :create - before_validation :restricted_signup_domains, on: :create + before_validation :signup_domain_valid?, on: :create before_validation :sanitize_attrs before_validation :set_notification_email, if: ->(user) { user.email_changed? } before_validation :set_public_email, if: ->(user) { user.public_email_changed? } @@ -760,27 +760,41 @@ class User < ActiveRecord::Base Project.where(id: events) end - def restricted_signup_domains - email_domains = current_application_settings.restricted_signup_domains + def match_domain(email_domains) + email_domains.any? do |domain| + escaped = Regexp.escape(domain).gsub('\*', '.*?') + regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE + email_domain = Mail::Address.new(self.email).domain + email_domain =~ regexp + end + end + + def signup_domain_valid? + valid = true - unless email_domains.blank? - match_found = email_domains.any? do |domain| - escaped = Regexp.escape(domain).gsub('\*', '.*?') - regexp = Regexp.new "^#{escaped}$", Regexp::IGNORECASE - email_domain = Mail::Address.new(self.email).domain - email_domain =~ regexp + if current_application_settings.domain_blacklist_enabled? + blocked_domains = current_application_settings.domain_blacklist + if match_domain(blocked_domains) + self.errors.add :email, 'is not from an allowed domain.' + valid = false end + end - unless match_found + allowed_domains = current_application_settings.restricted_signup_domains + unless allowed_domains.blank? + if match_domain(allowed_domains) + self.errors.clear + valid = true + else self.errors.add :email, 'is not whitelisted. ' + 'Email domains valid for registration are: ' + - email_domains.join(', ') - return false + allowed_domains.join(', ') + valid = false end end - true + return valid end def can_be_removed? |