BigW Consortium Gitlab

  1. 07 Mar, 2017 1 commit
    • Don't allow blocked users to authenticate through other means · 93daeee1
      Markus Koller authored
      Gitlab::Auth.find_with_user_password is currently used in these places:
      
      - resource_owner_from_credentials in config/initializers/doorkeeper.rb,
        which is used for the OAuth Resource Owner Password Credentials flow
      
      - the /session API call in lib/api/session.rb, which is used to reveal
        the user's current authentication_token
      
      In both cases users should only be authenticated if they're in the
      active state.
  2. 06 Mar, 2017 4 commits
  3. 16 Dec, 2016 1 commit
    • Calls to the API are checked for scope. · 7fa06ed5
      Timothy Andrew authored
      - Move the `Oauth2::AccessTokenValidationService` class to
        `AccessTokenValidationService`, since it is now being used for
        personal access token validation as well.
      
      - Each API endpoint declares the scopes it accepts (if any). Currently,
        the top level API module declares the `api` scope, and the `Users` API
        module declares the `read_user` scope (for GET requests).
      
      - Move the `find_user_by_private_token` from the API `Helpers` module to
        the `APIGuard` module, to avoid littering `Helpers` with more
        auth-related methods to support `find_user_by_private_token`
  4. 01 Jul, 2016 1 commit
  5. 27 Jun, 2016 1 commit
  6. 22 Jun, 2015 1 commit
  7. 12 Feb, 2015 1 commit
  8. 24 Dec, 2014 1 commit