From 1eef146c2d1de19d4e995d421e5787053e50db80 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 10 Jan 2022 20:36:29 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee

---
 app/controllers/concerns/sessionless_authentication.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/controllers')

diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index 58e65ba20e2..c6d926c8a8d 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -20,7 +20,7 @@ module SessionlessAuthentication
   end
 
   def sessionless_sign_in(user)
-    if user && can?(user, :log_in)
+    if can?(user, :log_in) && !user.password_expired_if_applicable?
       # Notice we are passing store false, so the user is not
       # actually stored in the session and a token is needed
       # for every request. If you want the token to work as a
-- 
cgit v1.2.1