BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
37383d9a
Commit
37383d9a
authored
Aug 31, 2017
by
Tiago Botelho
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rollsback changes made to signing_enabled.
parent
d546f7d3
Hide whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
31 additions
and
33 deletions
+31
-33
application_controller.rb
app/controllers/application_controller.rb
+1
-1
passwords_controller.rb
app/controllers/passwords_controller.rb
+4
-6
passwords_controller.rb
app/controllers/profiles/passwords_controller.rb
+1
-1
user.rb
app/models/user.rb
+1
-1
_form.html.haml
app/views/admin/application_settings/_form.html.haml
+1
-1
_profile.html.haml
app/views/layouts/nav/_profile.html.haml
+1
-1
37202-revert-changes-to-signing-enabled.yml
...gs/unreleased/37202-revert-changes-to-signing-enabled.yml
+5
-0
auth.rb
lib/gitlab/auth.rb
+0
-4
application_controller_spec.rb
spec/controllers/application_controller_spec.rb
+11
-2
passwords_controller_spec.rb
spec/controllers/passwords_controller_spec.rb
+4
-4
password_spec.rb
spec/features/profiles/password_spec.rb
+2
-2
auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+0
-10
No files found.
app/controllers/application_controller.rb
View file @
37383d9a
...
@@ -202,7 +202,7 @@ class ApplicationController < ActionController::Base
...
@@ -202,7 +202,7 @@ class ApplicationController < ActionController::Base
end
end
def
check_password_expiration
def
check_password_expiration
if
current_user
&&
current_user
.
password_expires_at
&&
current_user
.
password_expires_at
<
Time
.
now
&&
current_user
.
allow_password_authentication
?
if
current_user
&&
current_user
.
password_expires_at
&&
current_user
.
password_expires_at
<
Time
.
now
&&
!
current_user
.
ldap_user
?
return
redirect_to
new_profile_password_path
return
redirect_to
new_profile_password_path
end
end
end
end
...
...
app/controllers/passwords_controller.rb
View file @
37383d9a
class
PasswordsController
<
Devise
::
PasswordsController
class
PasswordsController
<
Devise
::
PasswordsController
include
Gitlab
::
CurrentSettings
before_action
:resource_from_email
,
only:
[
:create
]
before_action
:resource_from_email
,
only:
[
:create
]
before_action
:
check_password_authentication_available
,
only:
[
:create
]
before_action
:
prevent_ldap_reset
,
only:
[
:create
]
before_action
:throttle_reset
,
only:
[
:create
]
before_action
:throttle_reset
,
only:
[
:create
]
def
edit
def
edit
...
@@ -40,11 +38,11 @@ class PasswordsController < Devise::PasswordsController
...
@@ -40,11 +38,11 @@ class PasswordsController < Devise::PasswordsController
self
.
resource
=
resource_class
.
find_by_email
(
email
)
self
.
resource
=
resource_class
.
find_by_email
(
email
)
end
end
def
check_password_authentication_available
def
prevent_ldap_reset
return
if
current_application_settings
.
password_authentication_enabled?
&&
(
resource
.
nil?
||
resource
.
allow_password_authentication?
)
return
unless
resource
&
.
ldap_user?
redirect_to
after_sending_reset_password_instructions_path_for
(
resource_name
),
redirect_to
after_sending_reset_password_instructions_path_for
(
resource_name
),
alert:
"
Password authentication is unavailable
."
alert:
"
Cannot reset password for LDAP user
."
end
end
def
throttle_reset
def
throttle_reset
...
...
app/controllers/profiles/passwords_controller.rb
View file @
37383d9a
...
@@ -77,7 +77,7 @@ class Profiles::PasswordsController < Profiles::ApplicationController
...
@@ -77,7 +77,7 @@ class Profiles::PasswordsController < Profiles::ApplicationController
end
end
def
authorize_change_password!
def
authorize_change_password!
render_404
unless
@user
.
allow_password_authentication
?
render_404
if
@user
.
ldap_user
?
end
end
def
user_params
def
user_params
...
...
app/models/user.rb
View file @
37383d9a
...
@@ -601,7 +601,7 @@ class User < ActiveRecord::Base
...
@@ -601,7 +601,7 @@ class User < ActiveRecord::Base
end
end
def
require_personal_access_token_creation_for_git_auth?
def
require_personal_access_token_creation_for_git_auth?
return
false
if
allow_password_authentication
?
||
ldap_user?
return
false
if
current_application_settings
.
password_authentication_enabled
?
||
ldap_user?
PersonalAccessTokensFinder
.
new
(
user:
self
,
impersonation:
false
,
state:
'active'
).
execute
.
none?
PersonalAccessTokensFinder
.
new
(
user:
self
,
impersonation:
false
,
state:
'active'
).
execute
.
none?
end
end
...
...
app/views/admin/application_settings/_form.html.haml
View file @
37383d9a
...
@@ -153,7 +153,7 @@
...
@@ -153,7 +153,7 @@
.checkbox
.checkbox
=
f
.
label
:password_authentication_enabled
do
=
f
.
label
:password_authentication_enabled
do
=
f
.
check_box
:password_authentication_enabled
=
f
.
check_box
:password_authentication_enabled
Password authenticatio
n enabled
Sign-i
n enabled
-
if
omniauth_enabled?
&&
button_based_providers
.
any?
-
if
omniauth_enabled?
&&
button_based_providers
.
any?
.form-group
.form-group
=
f
.
label
:enabled_oauth_sign_in_sources
,
'Enabled OAuth sign-in sources'
,
class:
'control-label col-sm-2'
=
f
.
label
:enabled_oauth_sign_in_sources
,
'Enabled OAuth sign-in sources'
,
class:
'control-label col-sm-2'
...
...
app/views/layouts/nav/_profile.html.haml
View file @
37383d9a
...
@@ -29,7 +29,7 @@
...
@@ -29,7 +29,7 @@
=
link_to
profile_emails_path
,
title:
'Emails'
do
=
link_to
profile_emails_path
,
title:
'Emails'
do
%span
%span
Emails
Emails
-
if
current_user
.
allow_password_authentication
?
-
unless
current_user
.
ldap_user
?
=
nav_link
(
controller: :passwords
)
do
=
nav_link
(
controller: :passwords
)
do
=
link_to
edit_profile_password_path
,
title:
'Password'
do
=
link_to
edit_profile_password_path
,
title:
'Password'
do
%span
%span
...
...
changelogs/unreleased/37202-revert-changes-to-signing-enabled.yml
0 → 100644
View file @
37383d9a
---
title
:
Reverts changes made to signin_enabled.
merge_request
:
13956
author
:
type
:
fixed
lib/gitlab/auth.rb
View file @
37383d9a
...
@@ -48,10 +48,6 @@ module Gitlab
...
@@ -48,10 +48,6 @@ module Gitlab
# Avoid resource intensive login checks if password is not provided
# Avoid resource intensive login checks if password is not provided
return
unless
password
.
present?
return
unless
password
.
present?
# Nothing to do here if internal auth is disabled and LDAP is
# not configured
return
unless
current_application_settings
.
password_authentication_enabled?
||
Gitlab
::
LDAP
::
Config
.
enabled?
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
do
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
do
user
=
User
.
by_login
(
login
)
user
=
User
.
by_login
(
login
)
...
...
spec/controllers/application_controller_spec.rb
View file @
37383d9a
...
@@ -8,34 +8,43 @@ describe ApplicationController do
...
@@ -8,34 +8,43 @@ describe ApplicationController do
it
'redirects if the user is over their password expiry'
do
it
'redirects if the user is over their password expiry'
do
user
.
password_expires_at
=
Time
.
new
(
2002
)
user
.
password_expires_at
=
Time
.
new
(
2002
)
expect
(
user
.
ldap_user?
).
to
be_falsey
expect
(
user
.
ldap_user?
).
to
be_falsey
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
expect
(
controller
).
to
receive
(
:redirect_to
)
expect
(
controller
).
to
receive
(
:redirect_to
)
expect
(
controller
).
to
receive
(
:new_profile_password_path
)
expect
(
controller
).
to
receive
(
:new_profile_password_path
)
controller
.
send
(
:check_password_expiration
)
controller
.
send
(
:check_password_expiration
)
end
end
it
'does not redirect if the user is under their password expiry'
do
it
'does not redirect if the user is under their password expiry'
do
user
.
password_expires_at
=
Time
.
now
+
20010101
user
.
password_expires_at
=
Time
.
now
+
20010101
expect
(
user
.
ldap_user?
).
to
be_falsey
expect
(
user
.
ldap_user?
).
to
be_falsey
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
expect
(
controller
).
not_to
receive
(
:redirect_to
)
expect
(
controller
).
not_to
receive
(
:redirect_to
)
controller
.
send
(
:check_password_expiration
)
controller
.
send
(
:check_password_expiration
)
end
end
it
'does not redirect if the user is over their password expiry but they are an ldap user'
do
it
'does not redirect if the user is over their password expiry but they are an ldap user'
do
user
.
password_expires_at
=
Time
.
new
(
2002
)
user
.
password_expires_at
=
Time
.
new
(
2002
)
allow
(
user
).
to
receive
(
:ldap_user?
).
and_return
(
true
)
allow
(
user
).
to
receive
(
:ldap_user?
).
and_return
(
true
)
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
expect
(
controller
).
not_to
receive
(
:redirect_to
)
expect
(
controller
).
not_to
receive
(
:redirect_to
)
controller
.
send
(
:check_password_expiration
)
controller
.
send
(
:check_password_expiration
)
end
end
it
'
does not redirect if the user is over their password expiry but
sign-in is disabled'
do
it
'
redirects if the user is over their password expiry and
sign-in is disabled'
do
stub_application_setting
(
password_authentication_enabled:
false
)
stub_application_setting
(
password_authentication_enabled:
false
)
user
.
password_expires_at
=
Time
.
new
(
2002
)
user
.
password_expires_at
=
Time
.
new
(
2002
)
expect
(
user
.
ldap_user?
).
to
be_falsey
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
controller
).
to
receive
(
:current_user
).
and_return
(
user
)
expect
(
controller
).
not_to
receive
(
:redirect_to
)
expect
(
controller
).
to
receive
(
:redirect_to
)
expect
(
controller
).
to
receive
(
:new_profile_password_path
)
controller
.
send
(
:check_password_expiration
)
controller
.
send
(
:check_password_expiration
)
end
end
...
...
spec/controllers/passwords_controller_spec.rb
View file @
37383d9a
require
'spec_helper'
require
'spec_helper'
describe
PasswordsController
do
describe
PasswordsController
do
describe
'#
check_password_authentication_available
'
do
describe
'#
prevent_ldap_reset
'
do
before
do
before
do
@request
.
env
[
"devise.mapping"
]
=
Devise
.
mappings
[
:user
]
@request
.
env
[
"devise.mapping"
]
=
Devise
.
mappings
[
:user
]
end
end
context
'when password authentication is disabled'
do
context
'when password authentication is disabled'
do
it
'
prevents a
password reset'
do
it
'
allows
password reset'
do
stub_application_setting
(
password_authentication_enabled:
false
)
stub_application_setting
(
password_authentication_enabled:
false
)
post
:create
post
:create
expect
(
flash
[
:alert
]).
to
eq
'Password authentication is unavailable.'
expect
(
response
).
to
have_http_status
(
302
)
end
end
end
end
...
@@ -22,7 +22,7 @@ describe PasswordsController do
...
@@ -22,7 +22,7 @@ describe PasswordsController do
it
'prevents a password reset'
do
it
'prevents a password reset'
do
post
:create
,
user:
{
email:
user
.
email
}
post
:create
,
user:
{
email:
user
.
email
}
expect
(
flash
[
:alert
]).
to
eq
'Password authentication is unavailable.'
expect
(
flash
[
:alert
]).
to
eq
(
'Cannot reset password for LDAP user.'
)
end
end
end
end
end
end
...
...
spec/features/profiles/password_spec.rb
View file @
37383d9a
...
@@ -53,12 +53,12 @@ describe 'Profile > Password' do
...
@@ -53,12 +53,12 @@ describe 'Profile > Password' do
context
'Regular user'
do
context
'Regular user'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
it
'renders
404
when sign-in is disabled'
do
it
'renders
200
when sign-in is disabled'
do
stub_application_setting
(
password_authentication_enabled:
false
)
stub_application_setting
(
password_authentication_enabled:
false
)
visit
edit_profile_password_path
visit
edit_profile_password_path
expect
(
page
).
to
have_http_status
(
404
)
expect
(
page
).
to
have_http_status
(
200
)
end
end
end
end
...
...
spec/lib/gitlab/auth_spec.rb
View file @
37383d9a
...
@@ -279,16 +279,6 @@ describe Gitlab::Auth do
...
@@ -279,16 +279,6 @@ describe Gitlab::Auth do
gl_auth
.
find_with_user_password
(
'ldap_user'
,
'password'
)
gl_auth
.
find_with_user_password
(
'ldap_user'
,
'password'
)
end
end
end
end
context
"with sign-in disabled"
do
before
do
stub_application_setting
(
password_authentication_enabled:
false
)
end
it
"does not find user by valid login/password"
do
expect
(
gl_auth
.
find_with_user_password
(
username
,
password
)).
to
be_nil
end
end
end
end
private
private
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment