Commit e17bff08 authored by Markus Koller's avatar Markus Koller

Merge branch '243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password' into 'master'

Resolve "User cannot sign out of GitLab once admin resets their password."

See merge request gitlab-org/gitlab!40830
parents 6999d743 1cd37602
......@@ -10,6 +10,8 @@ class SessionsController < Devise::SessionsController
include KnownSignIn
skip_before_action :check_two_factor_requirement, only: [:destroy]
skip_before_action :check_password_expiration, only: [:destroy]
# replaced with :require_no_authentication_without_flash
skip_before_action :require_no_authentication, only: [:new, :create]
......
---
title: Allow users with expired passwords to sign out
merge_request: 40830
author:
type: fixed
......@@ -6,11 +6,11 @@ RSpec.describe SessionsController do
include DeviseHelpers
include LdapHelpers
describe '#new' do
before do
set_devise_mapping(context: @request)
end
describe '#new' do
context 'when auto sign-in is enabled' do
before do
stub_omniauth_setting(auto_sign_in_with_provider: :saml)
......@@ -59,13 +59,19 @@ RSpec.describe SessionsController do
end
end
end
end
describe '#create' do
before do
set_devise_mapping(context: @request)
it "redirects correctly for referer on same host with params" do
host = "test.host"
search_path = "/search?search=seed_project"
request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
get(:new, params: { redirect_to_referer: :yes })
expect(controller.stored_location_for(:redirect)).to eq(search_path)
end
end
describe '#create' do
it_behaves_like 'known sign in' do
let(:user) { create(:user) }
let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) }
......@@ -439,25 +445,8 @@ RSpec.describe SessionsController do
end
end
describe "#new" do
before do
set_devise_mapping(context: @request)
end
it "redirects correctly for referer on same host with params" do
host = "test.host"
search_path = "/search?search=seed_project"
request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
get(:new, params: { redirect_to_referer: :yes })
expect(controller.stored_location_for(:redirect)).to eq(search_path)
end
end
context 'when login fails' do
before do
set_devise_mapping(context: @request)
@request.env["warden.options"] = { action: 'unauthenticated' }
end
......@@ -471,10 +460,6 @@ RSpec.describe SessionsController do
describe '#set_current_context' do
let_it_be(:user) { create(:user) }
before do
set_devise_mapping(context: @request)
end
context 'when signed in' do
before do
sign_in(user)
......@@ -528,4 +513,21 @@ RSpec.describe SessionsController do
end
end
end
describe '#destroy' do
before do
sign_in(user)
end
context 'for a user whose password has expired' do
let(:user) { create(:user, password_expires_at: 2.days.ago) }
it 'allows to sign out successfully' do
delete :destroy
expect(response).to redirect_to(new_user_session_path)
expect(controller.current_user).to be_nil
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment