1 files changed, 25 insertions, 4 deletions

diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb
index 1f946e41995..f9587655a8d 100644
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@@ -6,17 +6,23 @@ class Admin::SessionsController < ApplicationController
   before_action :user_is_admin!
 
   def new
-    # Renders a form in which the admin can enter their password
+    if current_user_mode.admin_mode?
+      redirect_to redirect_path, notice: _('Admin mode already enabled')
+    else
+      current_user_mode.request_admin_mode! unless current_user_mode.admin_mode_requested?
+      store_location_for(:redirect, redirect_path)
+    end
   end
 
   def create
     if current_user_mode.enable_admin_mode!(password: params[:password])
-      redirect_location = stored_location_for(:redirect) || admin_root_path
-      redirect_to safe_redirect_path(redirect_location)
+      redirect_to redirect_path, notice: _('Admin mode enabled')
     else
-      flash.now[:alert] = _('Invalid Login or password')
+      flash.now[:alert] = _('Invalid login or password')
       render :new
     end
+  rescue Gitlab::Auth::CurrentUserMode::NotRequestedError
+    redirect_to new_admin_session_path, alert: _('Re-authentication period expired or never requested. Please try again')
   end
 
   def destroy
@@ -30,4 +36,19 @@ class Admin::SessionsController < ApplicationController
   def user_is_admin!
     render_404 unless current_user&.admin?
   end
+
+  def redirect_path
+    redirect_to_path = safe_redirect_path(stored_location_for(:redirect)) || safe_redirect_path_for_url(request.referer)
+
+    if redirect_to_path &&
+        excluded_redirect_paths.none? { |excluded| redirect_to_path.include?(excluded) }
+      redirect_to_path
+    else
+      admin_root_path
+    end
+  end
+
+  def excluded_redirect_paths
+    [new_admin_session_path, admin_session_path]
+  end
 end