Commit baa65e89 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Check if LDAP user was removed or blocked when use git over ssh

parent 2db94109
...@@ -35,6 +35,7 @@ module API ...@@ -35,6 +35,7 @@ module API
user = key.user user = key.user
return false if user.blocked? return false if user.blocked?
return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
action = case git_cmd action = case git_cmd
when *DOWNLOAD_COMMANDS when *DOWNLOAD_COMMANDS
......
...@@ -71,6 +71,16 @@ module Gitlab ...@@ -71,6 +71,16 @@ module Gitlab
find_by_uid(ldap_user.dn) if ldap_user find_by_uid(ldap_user.dn) if ldap_user
end end
# Check LDAP user existance by dn. User in git over ssh check
#
# It covers 2 cases:
# * when ldap account was removed
# * when ldap account was deactivated by change of OU membership in 'dn'
def blocked?(dn)
ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
ldap.connection.search(base: dn, size: 1).blank?
end
private private
def find_by_uid(uid) def find_by_uid(uid)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment