diff options
Diffstat (limited to 'app/controllers/oauth/authorizations_controller.rb')
-rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 17 |
1 files changed, 2 insertions, 15 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index d1c409d071e..0817813f967 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -5,7 +5,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController include InitializesCurrentUserMode include Gitlab::Utils::StrongMemoize - before_action :verify_confirmed_email!, :verify_confidential_application! + before_action :verify_confirmed_email! layout 'profile' @@ -37,8 +37,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController # limit scopes when signing in with GitLab def downgrade_scopes! - return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user, - default_enabled: :yaml) + return unless Feature.enabled?(:omniauth_login_minimal_scopes, current_user) auth_type = params.delete('gl_auth_type') return unless auth_type == 'login' @@ -78,18 +77,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPES) end - # Confidential apps require the client_secret to be sent with the request. - # Doorkeeper allows implicit grant flow requests (response_type=token) to - # work without client_secret regardless of the confidential setting. - # This leads to security vulnerabilities and we want to block it. - def verify_confidential_application! - render 'doorkeeper/authorizations/error' if authorizable_confidential? - end - - def authorizable_confidential? - pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential - end - def verify_confirmed_email! return if current_user&.confirmed? |