Dont allow LDAP users to change password inside GitLab

7cb86eb3 · Dmitriy Zaporozhets · bd6dfe7d · 7cb86eb3 · 7cb86eb3 · 7cb86eb3
Commit 7cb86eb3 authored May 24, 2013 by Dmitriy Zaporozhets
Showing with 48 additions and 34 deletions

app/controllers/profiles_controller.rb app/controllers/profiles_controller.rb +12 -3

app/models/user.rb app/models/user.rb +4 -0

app/views/profiles/account.html.haml app/views/profiles/account.html.haml +32 -31

No files found.
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -2,6 +2,9 @@ class ProfilesController < ApplicationController
  include ActionView::Helpers::SanitizeHelper
  before_filter :user
+  before_filter :authorize_change_password!, only: :update_password
+  before_filter :authorize_change_username!, only: :update_username
  layout 'profile'
  def show
@@ -53,9 +56,7 @@ class ProfilesController < ApplicationController
  end
  def update_username
-    if @user.can_change_username?
    @user.update_attributes(username: params[:user][:username])
-    end
    respond_to do |format|
      format.js
@@ -80,4 +81,12 @@ class ProfilesController < ApplicationController
    user_attributes
  end
+  def authorize_change_password!
+    return render_404 if @user.ldap_user?
+  end
+  def authorize_change_username!
+    return render_404 unless @user.can_change_username?
+  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -340,4 +340,8 @@ class User < ActiveRecord::Base
      nil
    end
  end
+  def ldap_user?
+    extern_uid && provider == 'ldap'
+  end
 end
--- a/app/views/profiles/account.html.haml
+++ b/app/views/profiles/account.html.haml
- if Gitlab.config.omniauth.enabled
+- unless current_user.ldap_user?
+  - if Gitlab.config.omniauth.enabled
    %fieldset
      %legend Social Accounts
      .oauth_select_holder
@@ -8,28 +9,7 @@
            = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
+  %fieldset.update-password
-%fieldset.update-token
-  %legend
-    Private token
-    %span.cred.pull-right
-      keep it secret!
-  .padded
-    = form_for @user, url: reset_private_token_profile_path, method: :put do |f|
-      .data
-        %p.slead
-          Private token used to access application resources without authentication.
-          %br
-          It can be used for atom feed or API
-        %p.cgray
-          - if current_user.private_token
-            = text_field_tag "token", current_user.private_token, class: "xxlarge large_text"
-            = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
-          - else
-            %span You don`t have one yet. Click generate to fix it.
-            = f.submit 'Generate', class: "btn success btn-build-token"
-%fieldset.update-password
    %legend Password
    = form_for @user, url: update_password_profile_path, method: :put do |f|
      .padded
@@ -53,6 +33,27 @@
+%fieldset.update-token
+  %legend
+    Private token
+    %span.cred.pull-right
+      keep it secret!
+  .padded
+    = form_for @user, url: reset_private_token_profile_path, method: :put do |f|
+      .data
+        %p.slead
+          Private token used to access application resources without authentication.
+          %br
+          It can be used for atom feed or API
+        %p.cgray
+          - if current_user.private_token
+            = text_field_tag "token", current_user.private_token, class: "xxlarge large_text"
+            = f.submit 'Reset', confirm: "Are you sure?", class: "btn btn-primary btn-build-token"
+          - else
+            %span You don`t have one yet. Click generate to fix it.
+            = f.submit 'Generate', class: "btn success btn-build-token"
 - if current_user.can_change_username?
  %fieldset.update-username
    %legend