diff options
Diffstat (limited to 'lib/gitlab/auth.rb')
| -rw-r--r-- | lib/gitlab/auth.rb | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index ece4946383d..609eef5e365 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -50,7 +50,7 @@ module Gitlab build_access_token_check(login, password) || lfs_token_check(login, password, project) || oauth_access_token_check(login, password) || - personal_access_token_check(password) || + personal_access_token_check(password, project) || deploy_token_check(login, password, project) || user_with_password_for_git(login, password) || Gitlab::Auth::Result.new @@ -117,7 +117,6 @@ module Gitlab private - # rubocop:disable Gitlab/RailsLogger def rate_limit!(rate_limiter, success:, login:) return if skip_rate_limit?(login: login) @@ -132,12 +131,11 @@ module Gitlab # This returns true when the failures are over the threshold and the IP # is banned. if rate_limiter.register_fail! - Rails.logger.info "IP #{rate_limiter.ip} failed to login " \ + Gitlab::AppLogger.info "IP #{rate_limiter.ip} failed to login " \ "as #{login} but has been temporarily banned from Git auth" end end end - # rubocop:enable Gitlab/RailsLogger def skip_rate_limit?(login:) CI_JOB_USER == login @@ -191,12 +189,18 @@ module Gitlab end end - def personal_access_token_check(password) + def personal_access_token_check(password, project) return unless password.present? token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password) - if token && valid_scoped_token?(token, all_available_scopes) && token.user.can?(:log_in) + return unless token + + return if project && token.user.project_bot? && !project.bots.include?(token.user) + + return unless valid_scoped_token?(token, all_available_scopes) + + if token.user.project_bot? || token.user.can?(:log_in) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) end end |