Fixed privilege escalation issue where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.

1 files changed, 15 insertions, 2 deletions

diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index 6727a83e58a..fbb5895c2ef 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
         end
 
         context 'provider was external, now has been removed' do
-          it 'should mark existing user internal' do
+          it 'should not mark external user as internal' do
             create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
             stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
             oauth_user.save
             expect(gl_user).to be_valid
-            expect(gl_user.external).to be_falsey
+            expect(gl_user.external).to be_truthy
+          end
+        end
+
+        context 'provider is not external' do
+          context 'when adding a new OAuth identity' do
+            it 'should not promote an external user to internal' do
+              user = create(:user, email: 'john@mail.com', external: true)
+              user.identities.create(provider: provider, extern_uid: uid)
+
+              oauth_user.save
+              expect(gl_user).to be_valid
+              expect(gl_user.external).to be_truthy
+            end
           end
         end