Merge branch 'bvl-fix-login-issue-with-ldap-enabled' into 'master'

Load the sessionscontroller after loading the ldap strategies Closes #35447 See merge request !13049

Merge branch 'bvl-fix-login-issue-with-ldap-enabled' into 'master'
Load the sessionscontroller after loading the ldap strategies Closes #35447 See merge request !13049
d964816b · Robert Speicher · 6536c990 · fa9adb65 · d964816b · d964816b
Commit d964816b authored Jul 24, 2017 by Robert Speicher
Showing with 13 additions and 0 deletions

app/controllers/sessions_controller.rb app/controllers/sessions_controller.rb +8 -0

changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml ...logs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml +5 -0

No files found.
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -5,6 +5,14 @@ class SessionsController < Devise::SessionsController
  skip_before_action :check_two_factor_requirement, only: [:destroy]
+  # Explicitly call protect from forgery before anything else. Otherwise the
+  # CSFR-token might be cleared before authentication is done. This was the case
+  # when LDAP was enabled and the `OmniauthCallbacksController` is loaded
+  #
+  # *Note:* `prepend: true` is the default for rails4, but this will be changed
+  # to `prepend: false` in rails5.
+  protect_from_forgery prepend: true, with: :exception
  prepend_before_action :check_initial_setup, only: [:new]
  prepend_before_action :authenticate_with_two_factor,
    if: :two_factor_enabled?, only: [:create]

--- a/changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml
+++ b/changelogs/unreleased/bvl-fix-login-issue-with-ldap-enabled.yml
+---
+title: Fix cross site request protection when logging in as a regular user when LDAP
+  is enabled
+merge_request: 13049
+author: