Skip to content

G
gitlab-ce
Commit d7c88ee1 authored by James Edwards-Jones's avatar James Edwards-Jones
Browse files
Options

Group SAML skips forgery protection in production

parent 61bbab8a
Hide whitespace changes
Inline Side-by-side
Showing with 29 additions and 5 deletions
ee/app/controllers/groups/omniauth_callbacks_controller.rb
View file @ d7c88ee1
class Groups::OmniauthCallbacksController < OmniauthCallbacksController class Groups::OmniauthCallbacksController < OmniauthCallbacksController
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
skip_before_filter :verify_authenticity_token, only: :group_saml
def group_saml def group_saml
@unauthenticated_group = Group.find_by_full_path(params[:group_id]) @unauthenticated_group = Group.find_by_full_path(params[:group_id])
saml_provider = @unauthenticated_group.saml_provider saml_provider = @unauthenticated_group.saml_provider
......
ee/changelogs/unreleased/jej-group-saml-skip-forgery-protection.yml 0 → 100644
View file @ d7c88ee1
---
title: Group SAML skips forgery protection in production
merge_request: 5621
author:
type: fixed
ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
View file @ d7c88ee1
...@@ -2,6 +2,7 @@ require 'spec_helper' ...@@ -2,6 +2,7 @@ require 'spec_helper'
describe Groups::OmniauthCallbacksController do describe Groups::OmniauthCallbacksController do
include LoginHelpers include LoginHelpers
include ForgeryProtection
let(:uid) { 'my-uid' } let(:uid) { 'my-uid' }
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -56,6 +57,15 @@ describe Groups::OmniauthCallbacksController do ...@@ -56,6 +57,15 @@ describe Groups::OmniauthCallbacksController do
it 'uses existing linked identity' do it 'uses existing linked identity' do
expect { post provider, group_id: group }.not_to change(linked_accounts, :count) expect { post provider, group_id: group }.not_to change(linked_accounts, :count)
end end
it 'skips authenticity token based forgery protection' do
with_forgery_protection do
post provider, group_id: group
expect(response).not_to be_client_error
expect(response).not_to be_server_error
end
end
end end
context 'oauth already linked to another account' do context 'oauth already linked to another account' do
......
spec/support/forgery_protection.rb
View file @ d7c88ee1
module ForgeryProtection
def with_forgery_protection
ActionController::Base.allow_forgery_protection = true
yield
ensure
ActionController::Base.allow_forgery_protection = false
end
module_function :with_forgery_protection
end
RSpec.configure do |config| RSpec.configure do |config|
config.around(:each, :allow_forgery_protection) do |example| config.around(:each, :allow_forgery_protection) do |example|
begin ForgeryProtection.with_forgery_protection do
ActionController::Base.allow_forgery_protection = true
example.call example.call
ensure
ActionController::Base.allow_forgery_protection = false
end end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7