Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
0ea04cc5
Commit
0ea04cc5
authored
Feb 28, 2017
by
http://jneen.net/
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
use the policy stack to protect logins
parent
d9cfed07
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
6 additions
and
7 deletions
+6
-7
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+1
-1
app/controllers/concerns/authenticates_with_two_factor.rb
app/controllers/concerns/authenticates_with_two_factor.rb
+3
-4
app/policies/global_policy.rb
app/policies/global_policy.rb
+1
-1
lib/api/helpers.rb
lib/api/helpers.rb
+1
-1
No files found.
app/controllers/application_controller.rb
View file @
0ea04cc5
...
@@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base
...
@@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base
token_string
=
params
[
:private_token
].
presence
||
request
.
headers
[
'PRIVATE-TOKEN'
].
presence
token_string
=
params
[
:private_token
].
presence
||
request
.
headers
[
'PRIVATE-TOKEN'
].
presence
user
=
User
.
find_by_authentication_token
(
token_string
)
||
User
.
find_by_personal_access_token
(
token_string
)
user
=
User
.
find_by_authentication_token
(
token_string
)
||
User
.
find_by_personal_access_token
(
token_string
)
if
user
if
user
&&
can?
(
user
,
:log_in
)
# Notice we are passing store false, so the user is not
# Notice we are passing store false, so the user is not
# actually stored in the session and a token is needed
# actually stored in the session and a token is needed
# for every request. If you want the token to work as a
# for every request. If you want the token to work as a
...
...
app/controllers/concerns/authenticates_with_two_factor.rb
View file @
0ea04cc5
...
@@ -23,7 +23,7 @@ module AuthenticatesWithTwoFactor
...
@@ -23,7 +23,7 @@ module AuthenticatesWithTwoFactor
#
#
# Returns nil
# Returns nil
def
prompt_for_two_factor
(
user
)
def
prompt_for_two_factor
(
user
)
return
locked_user_redirect
(
user
)
if
user
.
access_locked?
return
locked_user_redirect
(
user
)
unless
user
.
can?
(
:log_in
)
session
[
:otp_user_id
]
=
user
.
id
session
[
:otp_user_id
]
=
user
.
id
setup_u2f_authentication
(
user
)
setup_u2f_authentication
(
user
)
...
@@ -37,10 +37,9 @@ module AuthenticatesWithTwoFactor
...
@@ -37,10 +37,9 @@ module AuthenticatesWithTwoFactor
def
authenticate_with_two_factor
def
authenticate_with_two_factor
user
=
self
.
resource
=
find_user
user
=
self
.
resource
=
find_user
return
locked_user_redirect
(
user
)
unless
user
.
can?
(
:log_in
)
if
user
.
access_locked?
if
user_params
[
:otp_attempt
].
present?
&&
session
[
:otp_user_id
]
locked_user_redirect
(
user
)
elsif
user_params
[
:otp_attempt
].
present?
&&
session
[
:otp_user_id
]
authenticate_with_two_factor_via_otp
(
user
)
authenticate_with_two_factor_via_otp
(
user
)
elsif
user_params
[
:device_response
].
present?
&&
session
[
:otp_user_id
]
elsif
user_params
[
:device_response
].
present?
&&
session
[
:otp_user_id
]
authenticate_with_two_factor_via_u2f
(
user
)
authenticate_with_two_factor_via_u2f
(
user
)
...
...
app/policies/global_policy.rb
View file @
0ea04cc5
...
@@ -6,7 +6,7 @@ class GlobalPolicy < BasePolicy
...
@@ -6,7 +6,7 @@ class GlobalPolicy < BasePolicy
can!
:read_users_list
can!
:read_users_list
unless
@user
.
blocked?
||
@user
.
internal?
unless
@user
.
blocked?
||
@user
.
internal?
can!
:log_in
can!
:log_in
unless
@user
.
access_locked?
can!
:access_api
can!
:access_api
can!
:access_git
can!
:access_git
end
end
...
...
lib/api/helpers.rb
View file @
0ea04cc5
...
@@ -97,7 +97,7 @@ module API
...
@@ -97,7 +97,7 @@ module API
end
end
def
authenticate!
def
authenticate!
unauthorized!
unless
current_user
unauthorized!
unless
current_user
&&
can?
(
current_user
,
:access_api
)
end
end
def
authenticate_non_get!
def
authenticate_non_get!
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment