summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorPatricio Cano <suprnova32@gmail.com>2016-06-28 18:19:04 -0500
committerPatricio Cano <suprnova32@gmail.com>2016-06-29 10:37:54 -0500
commit10444f61f85219eb6b2c10586996717d3b0afa8b (patch)
tree68e635fc03b159ce21c9a48a3034367a6865eefb /spec
parentebe21acc2a2f0a569e1e10314ac9407024becafb (diff)
downloadgitlab-ce-10444f61f85219eb6b2c10586996717d3b0afa8b.tar.gz
Fixed privilege escalation issue where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.
Diffstat (limited to 'spec')
-rw-r--r--spec/lib/gitlab/o_auth/user_spec.rb17
1 files changed, 15 insertions, 2 deletions
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index 6727a83e58a..fbb5895c2ef 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
end
context 'provider was external, now has been removed' do
- it 'should mark existing user internal' do
+ it 'should not mark external user as internal' do
create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
oauth_user.save
expect(gl_user).to be_valid
- expect(gl_user.external).to be_falsey
+ expect(gl_user.external).to be_truthy
+ end
+ end
+
+ context 'provider is not external' do
+ context 'when adding a new OAuth identity' do
+ it 'should not promote an external user to internal' do
+ user = create(:user, email: 'john@mail.com', external: true)
+ user.identities.create(provider: provider, extern_uid: uid)
+
+ oauth_user.save
+ expect(gl_user).to be_valid
+ expect(gl_user.external).to be_truthy
+ end
end
end