Commit dd9ced0a authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'connorshea/gitlab-ce-revoke-authorized-application' into 'master'

Fix revoking of authorized OAuth applications

Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized.

Added a spec and also found that the `gon` variables were not being set for this view.

Closes #14370

See merge request !3690
parents 4a514b27 e450892f
......@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.7.0 (unreleased)
- The Projects::HousekeepingService class has extra instrumentation (Yorick Peterse)
- Fix revoking of authorized OAuth applications (Connor Shea)
- All service classes (those residing in app/services) are now instrumented (Yorick Peterse)
- Developers can now add custom tags to transactions (Yorick Peterse)
- Loading of an issue's referenced merge requests and related branches is now done asynchronously (Yorick Peterse)
......
......@@ -3,6 +3,7 @@ require 'fogbugz'
class ApplicationController < ActionController::Base
include Gitlab::CurrentSettings
include Gitlab::GonHelper
include GitlabRoutingHelper
include PageLayoutHelper
......@@ -158,20 +159,6 @@ class ApplicationController < ActionController::Base
end
end
def add_gon_variables
gon.api_version = API::API.version
gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
gon.default_issues_tracker = Project.new.default_issue_tracker.to_param
gon.max_file_size = current_application_settings.max_attachment_size
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
gon.user_color_scheme = Gitlab::ColorSchemes.for_user(current_user).css_class
if current_user
gon.current_user_id = current_user.id
gon.api_token = current_user.private_token
end
end
def validate_user_service_ticket!
return unless signed_in? && session[:service_tickets]
......
class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
include Gitlab::CurrentSettings
include Gitlab::GonHelper
include PageLayoutHelper
before_action :verify_user_oauth_applications_enabled
before_action :authenticate_user!
before_action :add_gon_variables
layout 'profile'
......
# == Schema Information
#
# Table name: oauth_access_tokens
#
# id :integer not null, primary key
# resource_owner_id :integer
# application_id :integer
# token :string not null
# refresh_token :string
# expires_in :integer
# revoked_at :datetime
# created_at :datetime not null
# scopes :string
#
class OauthAccessToken < ActiveRecord::Base
belongs_to :resource_owner, class_name: 'User'
belongs_to :application, class_name: 'Doorkeeper::Application'
end
......@@ -68,7 +68,7 @@
%td= app.name
%td= token.created_at
%td= token.scopes
%td= render 'delete_form', application: app
%td= render 'doorkeeper/authorized_applications/delete_form', application: app
- @authorized_anonymous_tokens.each do |token|
%tr
%td
......
module Gitlab
module GonHelper
def add_gon_variables
gon.api_version = API::API.version
gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
gon.default_issues_tracker = Project.new.default_issue_tracker.to_param
gon.max_file_size = current_application_settings.max_attachment_size
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
gon.user_color_scheme = Gitlab::ColorSchemes.for_user(current_user).css_class
if current_user
gon.current_user_id = current_user.id
gon.api_token = current_user.private_token
end
end
end
end
# == Schema Information
#
# Table name: oauth_access_tokens
#
# id :integer not null, primary key
# resource_owner_id :integer
# application_id :integer
# token :string not null
# refresh_token :string
# expires_in :integer
# revoked_at :datetime
# created_at :datetime not null
# scopes :string
#
FactoryGirl.define do
factory :oauth_access_token do
resource_owner
application
token '123456'
end
end
FactoryGirl.define do
factory :oauth_application, class: 'Doorkeeper::Application', aliases: [:application] do
name { FFaker::Name.name }
uid { FFaker::Name.name }
redirect_uri { FFaker::Internet.uri('http') }
owner
owner_type 'User'
end
end
FactoryGirl.define do
sequence(:name) { FFaker::Name.name }
factory :user, aliases: [:author, :assignee, :recipient, :owner, :creator] do
factory :user, aliases: [:author, :assignee, :recipient, :owner, :creator, :resource_owner] do
email { FFaker::Internet.email }
name
sequence(:username) { |n| "#{FFaker::Internet.user_name}#{n}" }
......
require 'spec_helper'
describe 'Profile > Applications', feature: true do
let(:user) { create(:user) }
before do
login_as(user)
end
describe 'User manages applications', js: true do
it 'deletes an application' do
create(:oauth_application, owner: user)
visit oauth_applications_path
page.within('.oauth-applications') do
expect(page).to have_content('Your applications (1)')
click_button 'Destroy'
end
expect(page).to have_content('The application was deleted successfully')
expect(page).to have_content('Your applications (0)')
expect(page).to have_content('Authorized applications (0)')
end
it 'deletes an authorized application' do
create(:oauth_access_token, resource_owner: user)
visit oauth_applications_path
page.within('.oauth-authorized-applications') do
expect(page).to have_content('Authorized applications (1)')
click_button 'Revoke'
end
expect(page).to have_content('The application was revoked access.')
expect(page).to have_content('Your applications (0)')
expect(page).to have_content('Authorized applications (0)')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment