• Jacob Vosmaer's avatar
    Remove LDAP::Access#find_user · 614ca3ec
    Jacob Vosmaer authored
    This method existed to allow LDAP users to take over existing GitLab
    accounts if the part before the '@' of their LDAP email attribute
    matched the username of an existing GitLab user. I propose to disable
    this behavior in order to prevent unintended GitLab account takeovers.
    
    After this change it is still possible to take over an existing GitLab
    account with your LDAP credentials, as long as the GitLab account email
    address matches the LDAP user email address.
    614ca3ec
ldap_user_auth_spec.rb 1.37 KB