Merge branch 'bvl-fix-login-issue-with-ldap-enabled' into 'master'

Load the sessionscontroller after loading the ldap strategies Closes #35447 See merge request !13049
author: Robert Speicher <robert@gitlab.com> 2017-07-24 22:42:52 +0000
committer: Mike Greiling <mike@pixelcog.com> 2017-07-24 22:54:33 -0500
commit: 2cde1f45222c55b3c9f50cc7da6d1edb777d8a56 (patch)
tree: 559614311aab0a64d0479ec45d9de13c30d6875a /app
parent: e8203a11ad01de5c50147f06de0af0c2cb5a375f (diff)
download: gitlab-ce-2cde1f45222c55b3c9f50cc7da6d1edb777d8a56.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index f39441a281e..8118a32aeef 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController
 
   skip_before_action :check_two_factor_requirement, only: [:destroy]
 
+  # Explicitly call protect from forgery before anything else. Otherwise the
+  # CSFR-token might be cleared before authentication is done. This was the case
+  # when LDAP was enabled and the `OmniauthCallbacksController` is loaded
+  #
+  # *Note:* `prepend: true` is the default for rails4, but this will be changed
+  # to `prepend: false` in rails5.
+  protect_from_forgery prepend: true, with: :exception
+
   prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor,
     if: :two_factor_enabled?, only: [:create]
author	Robert Speicher <robert@gitlab.com>	2017-07-24 22:42:52 +0000
committer	Mike Greiling <mike@pixelcog.com>	2017-07-24 22:54:33 -0500
commit	2cde1f45222c55b3c9f50cc7da6d1edb777d8a56 (patch)
tree	559614311aab0a64d0479ec45d9de13c30d6875a /app
parent	e8203a11ad01de5c50147f06de0af0c2cb5a375f (diff)
download	gitlab-ce-2cde1f45222c55b3c9f50cc7da6d1edb777d8a56.tar.gz