Merge branch '243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password' into 'master'

Resolve "User cannot sign out of GitLab once admin resets their password." See merge request gitlab-org/gitlab!40830

Merge branch '243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password' into 'master'
Resolve "User cannot sign out of GitLab once admin resets their password." See merge request gitlab-org/gitlab!40830
e17bff08 · Markus Koller · 6999d743 · 1cd37602 · e17bff08 · e17bff08
Commit e17bff08 authored Sep 01, 2020 by Markus Koller
3 changed files
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -10,6 +10,8 @@ class SessionsController < Devise::SessionsController
  include KnownSignIn
  skip_before_action :check_two_factor_requirement, only: [:destroy]
+  skip_before_action :check_password_expiration, only: [:destroy]
  # replaced with :require_no_authentication_without_flash
  skip_before_action :require_no_authentication, only: [:new, :create]

--- a/changelogs/unreleased/243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password.yml
+++ b/changelogs/unreleased/243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password.yml
+---
+title: Allow users with expired passwords to sign out
+merge_request: 40830
+author:
+type: fixed
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -6,11 +6,11 @@ RSpec.describe SessionsController do
  include DeviseHelpers
  include LdapHelpers
-  describe '#new' do
+  before do
-    before do
+    set_devise_mapping(context: @request)
-      set_devise_mapping(context: @request)
+  end
-    end
+  describe '#new' do
    context 'when auto sign-in is enabled' do
      before do
        stub_omniauth_setting(auto_sign_in_with_provider: :saml)
@@ -59,13 +59,19 @@ RSpec.describe SessionsController do
        end
      end
    end
-  end
-  describe '#create' do
+    it "redirects correctly for referer on same host with params" do
-    before do
+      host = "test.host"
-      set_devise_mapping(context: @request)
+      search_path = "/search?search=seed_project"
+      request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
+      get(:new, params: { redirect_to_referer: :yes })
+      expect(controller.stored_location_for(:redirect)).to eq(search_path)
    end
+  end
+  describe '#create' do
    it_behaves_like 'known sign in' do
      let(:user) { create(:user) }
      let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) }
@@ -439,25 +445,8 @@ RSpec.describe SessionsController do
    end
  end
-  describe "#new" do
-    before do
-      set_devise_mapping(context: @request)
-    end
-    it "redirects correctly for referer on same host with params" do
-      host = "test.host"
-      search_path = "/search?search=seed_project"
-      request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
-      get(:new, params: { redirect_to_referer: :yes })
-      expect(controller.stored_location_for(:redirect)).to eq(search_path)
-    end
-  end
  context 'when login fails' do
    before do
-      set_devise_mapping(context: @request)
      @request.env["warden.options"] = { action:  'unauthenticated' }
    end
@@ -471,10 +460,6 @@ RSpec.describe SessionsController do
  describe '#set_current_context' do
    let_it_be(:user) { create(:user) }
-    before do
-      set_devise_mapping(context: @request)
-    end
    context 'when signed in' do
      before do
        sign_in(user)
@@ -528,4 +513,21 @@ RSpec.describe SessionsController do
      end
    end
  end
+  describe '#destroy' do
+    before do
+      sign_in(user)
+    end
+    context 'for a user whose password has expired' do
+      let(:user) { create(:user, password_expires_at: 2.days.ago) }
+      it 'allows to sign out successfully' do
+        delete :destroy
+        expect(response).to redirect_to(new_user_session_path)
+        expect(controller.current_user).to be_nil
+      end
+    end
+  end
 end