Merge branch 'jej/required-saml-groups-unblocks-correctly' into 'master'

Avoid incorrectly unblocking SAML users via `required_groups` Closes gitlab-ce#45525 See merge request gitlab-org/gitlab-ee!9489

Merge branch 'jej/required-saml-groups-unblocks-correctly' into 'master'
Avoid incorrectly unblocking SAML users via `required_groups` Closes gitlab-ce#45525 See merge request gitlab-org/gitlab-ee!9489
8805d9c5 · Douglas Barbosa Alexandre · 83bb1bb5 · 76ddd135 · 8805d9c5 · 8805d9c5
Commit 8805d9c5 authored Feb 07, 2019 by Douglas Barbosa Alexandre
3 changed files
--- a/ee/changelogs/unreleased/jej-required-saml-groups-unblocks-correctly.yml
+++ b/ee/changelogs/unreleased/jej-required-saml-groups-unblocks-correctly.yml
+---
+title: Avoid SAML required_groups indiscriminately unblocking users on login
+merge_request: 9489
+author:
+type: fixed
--- a/ee/lib/ee/gitlab/auth/saml/user.rb
+++ b/ee/lib/ee/gitlab/auth/saml/user.rb
@@ -12,7 +12,7 @@ module EE
            user = super

            if user_in_required_group?
-              unblock_user(user, "in required group") if user.persisted? && user.blocked?
+              unblock_user(user, "in required group") if user.persisted? && user.ldap_blocked?
            elsif user.persisted?
              block_user(user, "not in required group") unless user.blocked?
            else

--- a/ee/spec/lib/gitlab/auth/saml/user_spec.rb
+++ b/ee/spec/lib/gitlab/auth/saml/user_spec.rb
@@ -119,6 +119,13 @@ describe Gitlab::Auth::Saml::User do
            expect(saml_user.find_user).to be_active
          end

+          it 'does not unblock manually blocked members' do
+            stub_saml_required_group_config(%w(Developers))
+            saml_user.save.block!
+
+            expect(saml_user.find_user).not_to be_active
+          end
+
          it 'does not allow non-members' do
            stub_saml_required_group_config(%w(ArchitectureAstronauts))