From 34bf165147787125a601ad30a4a71ba7f966f724 Mon Sep 17 00:00:00 2001
From: Patricio Cano <suprnova32@gmail.com>
Date: Tue, 14 Jun 2016 18:28:17 -0500
Subject: Disable the unlink feature for SAML connected accounts (social
 login).

---
 app/controllers/profiles/accounts_controller.rb    |  2 +-
 app/views/profiles/accounts/show.html.haml         | 10 +++++---
 .../profiles/accounts_controller_spec.rb           | 28 ++++++++++++++++++++++
 3 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 spec/controllers/profiles/accounts_controller_spec.rb

diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb
index 175afbf8425..69959fe3687 100644
--- a/app/controllers/profiles/accounts_controller.rb
+++ b/app/controllers/profiles/accounts_controller.rb
@@ -5,7 +5,7 @@ class Profiles::AccountsController < Profiles::ApplicationController
 
   def unlink
     provider = params[:provider]
-    current_user.identities.find_by(provider: provider).destroy
+    current_user.identities.find_by(provider: provider).destroy unless provider.to_s == 'saml'
     redirect_to profile_account_path
   end
 end
diff --git a/app/views/profiles/accounts/show.html.haml b/app/views/profiles/accounts/show.html.haml
index 3d2a245ecbd..8efe486e01b 100644
--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -62,10 +62,14 @@
           .provider-btn-image
             = provider_image_tag(provider)
           - if auth_active?(provider)
-            = link_to unlink_profile_account_path(provider: provider), method: :delete, class: 'provider-btn' do
-              Disconnect
+            - if provider.to_s == 'saml'
+              %a.provider-btn
+                Active
+            - else
+              = link_to unlink_profile_account_path(provider: provider), method: :delete, class: 'provider-btn' do
+                Disconnect
           - else
-            = link_to user_omniauth_authorize_path(provider), method: :post, class: "provider-btn #{'not-active' if !auth_active?(provider)}", "data-no-turbolink" => "true" do
+            = link_to user_omniauth_authorize_path(provider), method: :post, class: 'provider-btn not-active', "data-no-turbolink" => "true" do
               Connect
   %hr
 - if current_user.can_change_username?
diff --git a/spec/controllers/profiles/accounts_controller_spec.rb b/spec/controllers/profiles/accounts_controller_spec.rb
new file mode 100644
index 00000000000..8658030214a
--- /dev/null
+++ b/spec/controllers/profiles/accounts_controller_spec.rb
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Profiles::AccountsController do
+
+  let(:user) { create(:omniauth_user, provider: 'saml') }
+
+  before do
+    sign_in(user)
+  end
+
+  it 'does not allow to unlink SAML connected account' do
+    identity = user.identities.last
+    delete :unlink, provider: 'saml'
+    updated_user = User.find(user.id)
+
+    expect(response.status).to eq(302)
+    expect(updated_user.identities.size).to eq(1)
+    expect(updated_user.identities).to include(identity)
+  end
+
+  it 'does allow to delete other linked accounts' do
+    user.identities.create(provider: 'twitter', extern_uid: 'twitter_123')
+
+    expect{
+      delete :unlink, provider: 'twitter'
+    }.to change(Identity.all, :size).by(-1)
+  end
+end
\ No newline at end of file
-- 
cgit v1.2.1


From 2786edc931f1853883e5bbd9d2b83a824288ae5c Mon Sep 17 00:00:00 2001
From: Patricio Cano <suprnova32@gmail.com>
Date: Tue, 14 Jun 2016 18:37:22 -0500
Subject: Added CHANGELOG item and fixed Rubocop errors

---
 CHANGELOG                                             | 1 +
 spec/controllers/profiles/accounts_controller_spec.rb | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 291d769722e..5051bdf11db 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -40,6 +40,7 @@ v 8.9.0 (unreleased)
   - Links from a wiki page to other wiki pages should be rewritten as expected
   - Add option to project to only allow merge requests to be merged if the build succeeds (Rui Santos)
   - Fix issues filter when ordering by milestone
+  - Disable SAML account unlink feature
   - Added artifacts:when to .gitlab-ci.yml - this requires GitLab Runner 1.3
   - Bamboo Service: Fix missing credentials & URL handling when base URL contains a path (Benjamin Schmid)
   - TeamCity Service: Fix URL handling when base URL contains a path
diff --git a/spec/controllers/profiles/accounts_controller_spec.rb b/spec/controllers/profiles/accounts_controller_spec.rb
index 8658030214a..4eafc11abaa 100644
--- a/spec/controllers/profiles/accounts_controller_spec.rb
+++ b/spec/controllers/profiles/accounts_controller_spec.rb
@@ -21,8 +21,6 @@ describe Profiles::AccountsController do
   it 'does allow to delete other linked accounts' do
     user.identities.create(provider: 'twitter', extern_uid: 'twitter_123')
 
-    expect{
-      delete :unlink, provider: 'twitter'
-    }.to change(Identity.all, :size).by(-1)
+    expect { delete :unlink, provider: 'twitter' }.to change(Identity.all, :size).by(-1)
   end
-end
\ No newline at end of file
+end
-- 
cgit v1.2.1