diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2018-11-24 13:39:16 +0100 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2018-11-29 09:37:16 +0100 |
commit | bd3a4840329160a64c0cac25ed6c1d3b22f5bdb4 (patch) | |
tree | 66749539b5aa0544c156374de84671f54dcaa080 /app | |
parent | c07183f0d3ce24e8cfcb93e71ae950d7067a8ce1 (diff) | |
download | gitlab-ce-bd3a4840329160a64c0cac25ed6c1d3b22f5bdb4.tar.gz |
Add config to disable impersonation
Adds gitlab.impersonation_enabled config option defaulting to true to
keep the current default behaviour.
Only the act of impersonation is modified, impersonation token
management is not affected.
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/admin/impersonations_controller.rb | 13 | ||||
-rw-r--r-- | app/controllers/admin/users_controller.rb | 5 | ||||
-rw-r--r-- | app/controllers/application_controller.rb | 25 | ||||
-rw-r--r-- | app/helpers/users_helper.rb | 4 | ||||
-rw-r--r-- | app/services/access_token_validation_service.rb | 6 | ||||
-rw-r--r-- | app/views/admin/users/_head.html.haml | 2 |
6 files changed, 42 insertions, 13 deletions
diff --git a/app/controllers/admin/impersonations_controller.rb b/app/controllers/admin/impersonations_controller.rb index 08d7e3b4fa2..65fe22bd8f4 100644 --- a/app/controllers/admin/impersonations_controller.rb +++ b/app/controllers/admin/impersonations_controller.rb @@ -5,23 +5,12 @@ class Admin::ImpersonationsController < Admin::ApplicationController before_action :authenticate_impersonator! def destroy - original_user = current_user - - warden.set_user(impersonator, scope: :user) - - Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{original_user.username}") - - session[:impersonator_id] = nil - + original_user = stop_impersonation redirect_to admin_user_path(original_user), status: :found end private - def impersonator - @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id] - end - def authenticate_impersonator! render_404 unless impersonator && impersonator.admin? && !impersonator.blocked? end diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index b783c0e2a6f..e93be1c1ba2 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -2,6 +2,7 @@ class Admin::UsersController < Admin::ApplicationController before_action :user, except: [:index, :new, :create] + before_action :check_impersonation_availability, only: :impersonate def index @users = User.order_name_asc.filter(params[:filter]) @@ -227,4 +228,8 @@ class Admin::UsersController < Admin::ApplicationController result[:status] == :success end + + def check_impersonation_availability + access_denied! unless Gitlab.config.gitlab.impersonation_enabled + end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index dbb22127e82..65c1576d9d2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -28,6 +28,7 @@ class ApplicationController < ActionController::Base before_action :configure_permitted_parameters, if: :devise_controller? before_action :require_email, unless: :devise_controller? before_action :set_usage_stats_consent_flag + before_action :check_impersonation_availability around_action :set_locale @@ -462,4 +463,28 @@ class ApplicationController < ActionController::Base .new(settings, current_user, application_setting_params) .execute end + + def check_impersonation_availability + return unless session[:impersonator_id] + + unless Gitlab.config.gitlab.impersonation_enabled + stop_impersonation + access_denied! _('Impersonation has been disabled') + end + end + + def stop_impersonation + impersonated_user = current_user + + Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{impersonated_user.username}") + + warden.set_user(impersonator, scope: :user) + session[:impersonator_id] = nil + + impersonated_user + end + + def impersonator + @impersonator ||= User.find(session[:impersonator_id]) if session[:impersonator_id] + end end diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb index 42b533ad772..bde9ca0cbf2 100644 --- a/app/helpers/users_helper.rb +++ b/app/helpers/users_helper.rb @@ -70,6 +70,10 @@ module UsersHelper end end + def impersonation_enabled? + Gitlab.config.gitlab.impersonation_enabled + end + private def get_profile_tabs diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb index 2a337918d21..40aa9250885 100644 --- a/app/services/access_token_validation_service.rb +++ b/app/services/access_token_validation_service.rb @@ -6,6 +6,7 @@ class AccessTokenValidationService EXPIRED = :expired REVOKED = :revoked INSUFFICIENT_SCOPE = :insufficient_scope + IMPERSONATION_DISABLED = :impersonation_disabled attr_reader :token, :request @@ -24,6 +25,11 @@ class AccessTokenValidationService elsif !self.include_any_scope?(scopes) return INSUFFICIENT_SCOPE + elsif token.respond_to?(:impersonation) && + token.impersonation && + !Gitlab.config.gitlab.impersonation_enabled + return IMPERSONATION_DISABLED + else return VALID end diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml index bfbc16d37a0..a733f420d11 100644 --- a/app/views/admin/users/_head.html.haml +++ b/app/views/admin/users/_head.html.haml @@ -8,7 +8,7 @@ %span.cred (Admin) .float-right - - if @user != current_user && @user.can?(:log_in) + - if impersonation_enabled? && @user != current_user && @user.can?(:log_in) = link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-nr btn-grouped btn-info" = link_to edit_admin_user_path(@user), class: "btn btn-nr btn-grouped" do %i.fa.fa-pencil-square-o |