Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 08:57:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 08:57:43 +0000
commit: bc299f54e841488b4ab37777761db1dfc7f3b60e (patch)
tree: bf58693acb03633a63138874072e3d3af3ee9f76 /app/services/auth
parent: 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff)
download: gitlab-ce-bc299f54e841488b4ab37777761db1dfc7f3b60e.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb
index 1b8c16b7c79..fab42e0ebb6 100644
--- a/app/services/auth/dependency_proxy_authentication_service.rb
+++ b/app/services/auth/dependency_proxy_authentication_service.rb
@@ -8,7 +8,10 @@ module Auth
 
     def execute(authentication_abilities:)
       return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
-      return error('access forbidden', 403) unless current_user
+
+      # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this
+      # JWT only as `User.find`, we currently only allow User (not DeployToken, etc)
+      return error('access forbidden', 403) unless current_user.is_a?(User)
 
       { token: authorized_token.encoded }
     end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 08:57:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 08:57:43 +0000
commit	bc299f54e841488b4ab37777761db1dfc7f3b60e (patch)
tree	bf58693acb03633a63138874072e3d3af3ee9f76 /app/services/auth
parent	2fad41087674984a064cf6a312ac34c16bb2a1aa (diff)
download	gitlab-ce-bc299f54e841488b4ab37777761db1dfc7f3b60e.tar.gz