3 files changed, 23 insertions, 16 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d0546a441e1..5ffec7f75bf 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -201,15 +201,10 @@ class ApplicationController < ActionController::Base
 
   def ldap_security_check
     if current_user && current_user.requires_ldap_check?
-      gitlab_ldap_access do |access|
-        if access.allowed?(current_user)
-          current_user.last_credential_check_at = Time.now
-          current_user.save
-        else
-          sign_out current_user
-          flash[:alert] = "Access denied for your LDAP account."
-          redirect_to new_user_session_path
-        end
+      unless Gitlab::LDAP::Access.allowed?(current_user)
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
       end
     end
   end
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index ef2afec52dc..3ed6a69c2d8 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -21,13 +21,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     @user = Gitlab::LDAP::User.find_or_create(oauth)
     @user.remember_me = true if @user.persisted?
 
-    gitlab_ldap_access do |access|
-      if access.allowed?(@user)
-        sign_in_and_redirect(@user)
-      else
-        flash[:alert] = "Access denied for your LDAP account."
-        redirect_to new_user_session_path
-      end
+    # Do additional LDAP checks for the user filter and EE features
+    if Gitlab::LDAP::Access.allowed?(@user)
+      sign_in_and_redirect(@user)
+    else
+      flash[:alert] = "Access denied for your LDAP account."
+      redirect_to new_user_session_path
     end
   end
 
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 4e48ff11871..62709a12942 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -9,6 +9,19 @@ module Gitlab
         end
       end
 
+      def self.allowed?(user)
+        self.open do |access|
+          if access.allowed?(user)
+            # GitLab EE LDAP code goes here
+            user.last_credential_check_at = Time.now
+            user.save
+            true
+          else
+            false
+          end
+        end
+      end
+
       def initialize(adapter=nil)
         @adapter = adapter
       end