Dont allow LDAP users to change password inside GitLab

Dmitriy Zaporozhets
1 parent bd6dfe7d
Showing 3 changed files with 48 additions and 34 deletions Show diff stats
app/controllers/profiles_controller.rb
app/models/user.rb
app/views/profiles/account.html.haml
@@ -2,6 +2,9 @@ class ProfilesController &lt; ApplicationController
   include ActionView::Helpers::SanitizeHelper
  
   before_filter :user
+  before_filter :authorize_change_password!, only: :update_password
+  before_filter :authorize_change_username!, only: :update_username
+
   layout 'profile'
  
   def show
@@ -53,9 +56,7 @@ class ProfilesController &lt; ApplicationController
   end
  
   def update_username
-    if @user.can_change_username?
-      @user.update_attributes(username: params[:user][:username])
-    end
+    @user.update_attributes(username: params[:user][:username])
  
     respond_to do |format|
       format.js
@@ -80,4 +81,12 @@ class ProfilesController &lt; ApplicationController
  
     user_attributes
   end
+
+  def authorize_change_password!
+    return render_404 if @user.ldap_user?
+  end
+
+  def authorize_change_username!
+    return render_404 unless @user.can_change_username?
+  end
 end
@@ -340,4 +340,8 @@ class User &lt; ActiveRecord::Base
       nil
     end
   end
+
+  def ldap_user?
+    extern_uid && provider == 'ldap'
+  end
 end
-- if Gitlab.config.omniauth.enabled
-  %fieldset
-    %legend Social Accounts
-    .oauth_select_holder
-      %p.hint Tip: Click on icon to activate sigin with one of the following services
-      - User.omniauth_providers.each do |provider|
-        %span{class: oauth_active_class(provider) }
-          = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
+- unless current_user.ldap_user?
+  - if Gitlab.config.omniauth.enabled
+    %fieldset
+      %legend Social Accounts
+      .oauth_select_holder
+        %p.hint Tip: Click on icon to activate sigin with one of the following services
+        - User.omniauth_providers.each do |provider|
+          %span{class: oauth_active_class(provider) }
+            = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
+
+
+  %fieldset.update-password
+    %legend Password
+    = form_for @user, url: update_password_profile_path, method: :put do |f|
+      .padded
+        %p.slead After successful password update you will be redirected to login page where you should login with new password
+        -if @user.errors.any?
+          .alert.alert-error
+            %ul
+              - @user.errors.full_messages.each do |msg|
+                %li= msg
+
+        .clearfix
+          = f.label :password
+          .input= f.password_field :password, required: true
+        .clearfix
+          = f.label :password_confirmation
+          .input
+            = f.password_field :password_confirmation, required: true
+        .clearfix
+          .input
+            = f.submit 'Save password', class: "btn btn-save"
  
  
  
@@ -29,29 +53,6 @@
             %span You don`t have one yet. Click generate to fix it.
             = f.submit 'Generate', class: "btn success btn-build-token"
  
-%fieldset.update-password
-  %legend Password
-  = form_for @user, url: update_password_profile_path, method: :put do |f|
-    .padded
-      %p.slead After successful password update you will be redirected to login page where you should login with new password
-      -if @user.errors.any?
-        .alert.alert-error
-          %ul
-            - @user.errors.full_messages.each do |msg|
-              %li= msg
-
-      .clearfix
-        = f.label :password
-        .input= f.password_field :password, required: true
-      .clearfix
-        = f.label :password_confirmation
-        .input
-          = f.password_field :password_confirmation, required: true
-      .clearfix
-        .input
-          = f.submit 'Save password', class: "btn btn-save"
-
-
  
 - if current_user.can_change_username?
   %fieldset.update-username
...	...	@@ -2,6 +2,9 @@ class ProfilesController < ApplicationController
2	2	include ActionView::Helpers::SanitizeHelper
3	3
4	4	before_filter :user
	5	+ before_filter :authorize_change_password!, only: :update_password
	6	+ before_filter :authorize_change_username!, only: :update_username
	7	+
5	8	layout 'profile'
6	9
7	10	def show
...	...	@@ -53,9 +56,7 @@ class ProfilesController < ApplicationController
53	56	end
54	57
55	58	def update_username
56		- if @user.can_change_username?
57		- @user.update_attributes(username: params[:user][:username])
58		- end
	59	+ @user.update_attributes(username: params[:user][:username])
59	60
60	61	respond_to do \|format\|
61	62	format.js
...	...	@@ -80,4 +81,12 @@ class ProfilesController < ApplicationController
80	81
81	82	user_attributes
82	83	end
	84	+
	85	+ def authorize_change_password!
	86	+ return render_404 if @user.ldap_user?
	87	+ end
	88	+
	89	+ def authorize_change_username!
	90	+ return render_404 unless @user.can_change_username?
	91	+ end
83	92	end
...	...
...	...	@@ -340,4 +340,8 @@ class User < ActiveRecord::Base
340	340	nil
341	341	end
342	342	end
	343	+
	344	+ def ldap_user?
	345	+ extern_uid && provider == 'ldap'
	346	+ end
343	347	end
...	...
1		-- if Gitlab.config.omniauth.enabled
2		- %fieldset
3		- %legend Social Accounts
4		- .oauth_select_holder
5		- %p.hint Tip: Click on icon to activate sigin with one of the following services
6		- - User.omniauth_providers.each do \|provider\|
7		- %span{class: oauth_active_class(provider) }
8		- = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
	1	+- unless current_user.ldap_user?
	2	+ - if Gitlab.config.omniauth.enabled
	3	+ %fieldset
	4	+ %legend Social Accounts
	5	+ .oauth_select_holder
	6	+ %p.hint Tip: Click on icon to activate sigin with one of the following services
	7	+ - User.omniauth_providers.each do \|provider\|
	8	+ %span{class: oauth_active_class(provider) }
	9	+ = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
	10	+
	11	+
	12	+ %fieldset.update-password
	13	+ %legend Password
	14	+ = form_for @user, url: update_password_profile_path, method: :put do \|f\|
	15	+ .padded
	16	+ %p.slead After successful password update you will be redirected to login page where you should login with new password
	17	+ -if @user.errors.any?
	18	+ .alert.alert-error
	19	+ %ul
	20	+ - @user.errors.full_messages.each do \|msg\|
	21	+ %li= msg
	22	+
	23	+ .clearfix
	24	+ = f.label :password
	25	+ .input= f.password_field :password, required: true
	26	+ .clearfix
	27	+ = f.label :password_confirmation
	28	+ .input
	29	+ = f.password_field :password_confirmation, required: true
	30	+ .clearfix
	31	+ .input
	32	+ = f.submit 'Save password', class: "btn btn-save"
9	33
10	34
11	35
...	...	@@ -29,29 +53,6 @@
29	53	%span You don`t have one yet. Click generate to fix it.
30	54	= f.submit 'Generate', class: "btn success btn-build-token"
31	55
32		-%fieldset.update-password
33		- %legend Password
34		- = form_for @user, url: update_password_profile_path, method: :put do \|f\|
35		- .padded
36		- %p.slead After successful password update you will be redirected to login page where you should login with new password
37		- -if @user.errors.any?
38		- .alert.alert-error
39		- %ul
40		- - @user.errors.full_messages.each do \|msg\|
41		- %li= msg
42		-
43		- .clearfix
44		- = f.label :password
45		- .input= f.password_field :password, required: true
46		- .clearfix
47		- = f.label :password_confirmation
48		- .input
49		- = f.password_field :password_confirmation, required: true
50		- .clearfix
51		- .input
52		- = f.submit 'Save password', class: "btn btn-save"
53		-
54		-
55	56
56	57	- if current_user.can_change_username?
57	58	%fieldset.update-username
...	...