diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 08:57:43 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 08:57:43 +0000 |
commit | bc299f54e841488b4ab37777761db1dfc7f3b60e (patch) | |
tree | bf58693acb03633a63138874072e3d3af3ee9f76 /app/services/auth | |
parent | 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff) | |
download | gitlab-ce-bc299f54e841488b4ab37777761db1dfc7f3b60e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee
Diffstat (limited to 'app/services/auth')
-rw-r--r-- | app/services/auth/dependency_proxy_authentication_service.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb index 1b8c16b7c79..fab42e0ebb6 100644 --- a/app/services/auth/dependency_proxy_authentication_service.rb +++ b/app/services/auth/dependency_proxy_authentication_service.rb @@ -8,7 +8,10 @@ module Auth def execute(authentication_abilities:) return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled - return error('access forbidden', 403) unless current_user + + # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this + # JWT only as `User.find`, we currently only allow User (not DeployToken, etc) + return error('access forbidden', 403) unless current_user.is_a?(User) { token: authorized_token.encoded } end |