diff options
author | Patricio Cano <suprnova32@gmail.com> | 2016-06-28 18:19:04 -0500 |
---|---|---|
committer | Patricio Cano <suprnova32@gmail.com> | 2016-06-29 10:37:54 -0500 |
commit | 10444f61f85219eb6b2c10586996717d3b0afa8b (patch) | |
tree | 68e635fc03b159ce21c9a48a3034367a6865eefb /spec | |
parent | ebe21acc2a2f0a569e1e10314ac9407024becafb (diff) | |
download | gitlab-ce-10444f61f85219eb6b2c10586996717d3b0afa8b.tar.gz |
Fixed privilege escalation issue where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/gitlab/o_auth/user_spec.rb | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb index 6727a83e58a..fbb5895c2ef 100644 --- a/spec/lib/gitlab/o_auth/user_spec.rb +++ b/spec/lib/gitlab/o_auth/user_spec.rb @@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do end context 'provider was external, now has been removed' do - it 'should mark existing user internal' do + it 'should not mark external user as internal' do create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true) stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook']) oauth_user.save expect(gl_user).to be_valid - expect(gl_user.external).to be_falsey + expect(gl_user.external).to be_truthy + end + end + + context 'provider is not external' do + context 'when adding a new OAuth identity' do + it 'should not promote an external user to internal' do + user = create(:user, email: 'john@mail.com', external: true) + user.identities.create(provider: provider, extern_uid: uid) + + oauth_user.save + expect(gl_user).to be_valid + expect(gl_user.external).to be_truthy + end end end |