From 10444f61f85219eb6b2c10586996717d3b0afa8b Mon Sep 17 00:00:00 2001
From: Patricio Cano <suprnova32@gmail.com>
Date: Tue, 28 Jun 2016 18:19:04 -0500
Subject: Fixed privilege escalation issue where manually set external users
 would be reverted back to internal users if they logged in via OAuth and that
 provider was not in the `external_providers` list.

---
 spec/lib/gitlab/o_auth/user_spec.rb | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'spec')

diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index 6727a83e58a..fbb5895c2ef 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
         end
 
         context 'provider was external, now has been removed' do
-          it 'should mark existing user internal' do
+          it 'should not mark external user as internal' do
             create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
             stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
             oauth_user.save
             expect(gl_user).to be_valid
-            expect(gl_user.external).to be_falsey
+            expect(gl_user.external).to be_truthy
+          end
+        end
+
+        context 'provider is not external' do
+          context 'when adding a new OAuth identity' do
+            it 'should not promote an external user to internal' do
+              user = create(:user, email: 'john@mail.com', external: true)
+              user.identities.create(provider: provider, extern_uid: uid)
+
+              oauth_user.save
+              expect(gl_user).to be_valid
+              expect(gl_user.external).to be_truthy
+            end
           end
         end
 
-- 
cgit v1.2.1