diff options
| author | Jan-Willem van der Meer <mail@jewilmeer.nl> | 2014-10-16 11:46:40 +0200 |
|---|---|---|
| committer | Jan-Willem van der Meer <mail@jewilmeer.nl> | 2014-10-16 11:46:40 +0200 |
| commit | 92c184a57f7698e79288b380cebc68b839afb4f5 (patch) | |
| tree | ed2dfe2946984c0429d09f71c74ad68803fd02f4 /app | |
| parent | 05922e71f45670a1b75d8b700bf894258c79fcd7 (diff) | |
| download | gitlab-ce-92c184a57f7698e79288b380cebc68b839afb4f5.tar.gz | |
Disallow new users from Oauth signup if `allow_single_sign_on` is disabled
Because devise will trigger a save, allowing unsaved users to login, behaviour had changed.
The current implementation returns a pre-build user, which can be saved without errors.
Reported in #1677
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/omniauth_callbacks_controller.rb | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index f46b36568f3..589f8387b03 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -54,11 +54,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController @user.save end - if @user.valid? + # Only allow properly saved users to login. + if @user.persisted? && @user.valid? sign_in_and_redirect(@user.gl_user) - else + elsif @user.gl_user.errors.any? error_message = @user.gl_user.errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ") redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return + else + flash[:notice] = "There's no such user!" + redirect_to new_user_session_path end end end |