Skip to content

G
gitlab-ce
Commit 0ea04cc5 authored by http://jneen.net/'s avatar http://jneen.net/
Browse files
Options

use the policy stack to protect logins

parent d9cfed07
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 7 deletions
app/controllers/application_controller.rb
View file @ 0ea04cc5
...@@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base ...@@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base
token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence
user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string) user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string)
if user if user && can?(user, :log_in)
# Notice we are passing store false, so the user is not # Notice we are passing store false, so the user is not
# actually stored in the session and a token is needed # actually stored in the session and a token is needed
# for every request. If you want the token to work as a # for every request. If you want the token to work as a
......
app/controllers/concerns/authenticates_with_two_factor.rb
View file @ 0ea04cc5
...@@ -23,7 +23,7 @@ module AuthenticatesWithTwoFactor ...@@ -23,7 +23,7 @@ module AuthenticatesWithTwoFactor
# #
# Returns nil # Returns nil
def prompt_for_two_factor(user) def prompt_for_two_factor(user)
return locked_user_redirect(user) if user.access_locked? return locked_user_redirect(user) unless user.can?(:log_in)
session[:otp_user_id] = user.id session[:otp_user_id] = user.id
setup_u2f_authentication(user) setup_u2f_authentication(user)
...@@ -37,10 +37,9 @@ module AuthenticatesWithTwoFactor ...@@ -37,10 +37,9 @@ module AuthenticatesWithTwoFactor
def authenticate_with_two_factor def authenticate_with_two_factor
user = self.resource = find_user user = self.resource = find_user
return locked_user_redirect(user) unless user.can?(:log_in)
if user.access_locked? if user_params[:otp_attempt].present? && session[:otp_user_id]
locked_user_redirect(user)
elsif user_params[:otp_attempt].present? && session[:otp_user_id]
authenticate_with_two_factor_via_otp(user) authenticate_with_two_factor_via_otp(user)
elsif user_params[:device_response].present? && session[:otp_user_id] elsif user_params[:device_response].present? && session[:otp_user_id]
authenticate_with_two_factor_via_u2f(user) authenticate_with_two_factor_via_u2f(user)
......
app/policies/global_policy.rb
View file @ 0ea04cc5
...@@ -6,7 +6,7 @@ class GlobalPolicy < BasePolicy ...@@ -6,7 +6,7 @@ class GlobalPolicy < BasePolicy
can! :read_users_list can! :read_users_list
unless @user.blocked? || @user.internal? unless @user.blocked? || @user.internal?
can! :log_in can! :log_in unless @user.access_locked?
can! :access_api can! :access_api
can! :access_git can! :access_git
end end
......
lib/api/helpers.rb
View file @ 0ea04cc5
...@@ -97,7 +97,7 @@ module API ...@@ -97,7 +97,7 @@ module API
end end
def authenticate! def authenticate!
unauthorized! unless current_user unauthorized! unless current_user && can?(current_user, :access_api)
end end
def authenticate_non_get! def authenticate_non_get!
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7