Commit d7c88ee1 authored by James Edwards-Jones's avatar James Edwards-Jones

Group SAML skips forgery protection in production

parent 61bbab8a
class Groups::OmniauthCallbacksController < OmniauthCallbacksController
extend ::Gitlab::Utils::Override
skip_before_filter :verify_authenticity_token, only: :group_saml
def group_saml
@unauthenticated_group = Group.find_by_full_path(params[:group_id])
saml_provider = @unauthenticated_group.saml_provider
......
---
title: Group SAML skips forgery protection in production
merge_request: 5621
author:
type: fixed
......@@ -2,6 +2,7 @@ require 'spec_helper'
describe Groups::OmniauthCallbacksController do
include LoginHelpers
include ForgeryProtection
let(:uid) { 'my-uid' }
let(:user) { create(:user) }
......@@ -56,6 +57,15 @@ describe Groups::OmniauthCallbacksController do
it 'uses existing linked identity' do
expect { post provider, group_id: group }.not_to change(linked_accounts, :count)
end
it 'skips authenticity token based forgery protection' do
with_forgery_protection do
post provider, group_id: group
expect(response).not_to be_client_error
expect(response).not_to be_server_error
end
end
end
context 'oauth already linked to another account' do
......
module ForgeryProtection
def with_forgery_protection
ActionController::Base.allow_forgery_protection = true
yield
ensure
ActionController::Base.allow_forgery_protection = false
end
module_function :with_forgery_protection
end
RSpec.configure do |config|
config.around(:each, :allow_forgery_protection) do |example|
begin
ActionController::Base.allow_forgery_protection = true
ForgeryProtection.with_forgery_protection do
example.call
ensure
ActionController::Base.allow_forgery_protection = false
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment