Don't allow blocked users to authenticate through other means

Gitlab::Auth.find_with_user_password is currently used in these places: - resource_owner_from_credentials in config/initializers/doorkeeper.rb, which is used for the OAuth Resource Owner Password Credentials flow - the /session API call in lib/api/session.rb, which is used to reveal the user's current authentication_token In both cases users should only be authenticated if they're in the active state.
author: Markus Koller <markus-koller@gmx.ch> 2017-01-18 11:23:25 +0100
committer: Alexis Reigel <mail@koffeinfrei.org> 2017-03-07 15:00:29 +0100
commit: 93daeee16428707fc348f8c45215854aed6e117a (patch)
tree: 074d2b524711a42f0f76a27df8d187bd7c6a4ce9 /lib
parent: 789db2cc19b20a4df8ff9f02dd1a771e2736d2fd (diff)
download: gitlab-ce-93daeee16428707fc348f8c45215854aed6e117a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 6166f8d0dd9..c6f9d0d7b82 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -40,7 +40,7 @@ module Gitlab
 
             Gitlab::LDAP::Authentication.login(login, password)
           else
-            user if user.valid_password?(password)
+            user if user.active? && user.valid_password?(password)
           end
         end
       end
author	Markus Koller <markus-koller@gmx.ch>	2017-01-18 11:23:25 +0100
committer	Alexis Reigel <mail@koffeinfrei.org>	2017-03-07 15:00:29 +0100
commit	93daeee16428707fc348f8c45215854aed6e117a (patch)
tree	074d2b524711a42f0f76a27df8d187bd7c6a4ce9 /lib
parent	789db2cc19b20a4df8ff9f02dd1a771e2736d2fd (diff)
download	gitlab-ce-93daeee16428707fc348f8c45215854aed6e117a.tar.gz