diff options
author | Markus Koller <markus-koller@gmx.ch> | 2017-01-18 11:23:25 +0100 |
---|---|---|
committer | Alexis Reigel <mail@koffeinfrei.org> | 2017-03-07 15:00:29 +0100 |
commit | 93daeee16428707fc348f8c45215854aed6e117a (patch) | |
tree | 074d2b524711a42f0f76a27df8d187bd7c6a4ce9 /spec/lib/gitlab/auth_spec.rb | |
parent | 789db2cc19b20a4df8ff9f02dd1a771e2736d2fd (diff) | |
download | gitlab-ce-93daeee16428707fc348f8c45215854aed6e117a.tar.gz |
Don't allow blocked users to authenticate through other means
Gitlab::Auth.find_with_user_password is currently used in these places:
- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
which is used for the OAuth Resource Owner Password Credentials flow
- the /session API call in lib/api/session.rb, which is used to reveal
the user's current authentication_token
In both cases users should only be authenticated if they're in the
active state.
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index daf8f5c1d6c..8726ca569ca 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -210,6 +210,18 @@ describe Gitlab::Auth, lib: true do end end + it "does not find user in blocked state" do + user.block + + expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + end + + it "does not find user in ldap_blocked state" do + user.ldap_block + + expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + end + context "with ldap enabled" do before do allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true) |