Check LDAP user filter during sign-in

Jacob Vosmaer
1 parent a5cbb4cb
Showing 2 changed files with 10 additions and 1 deletions Show diff stats
CHANGELOG
app/controllers/omniauth_callbacks_controller.rb
@@ -33,6 +33,7 @@ v 7.0.0
   - Overall performance improvements
   - Skip init script check on omnibus-gitlab
   - Be more selective when killing stray Sidekiqs
+  - Check LDAP user filter during sign-in
  
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
@@ -20,7 +20,15 @@ class OmniauthCallbacksController &lt; Devise::OmniauthCallbacksController
     # if the authentication to LDAP was successful.
     @user = Gitlab::LDAP::User.find_or_create(oauth)
     @user.remember_me = true if @user.persisted?
-    sign_in_and_redirect(@user)
+
+    gitlab_ldap_access do |access|
+      if access.allowed?(@user)
+        sign_in_and_redirect(@user)
+      else
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
+    end
   end
  
   private
...	...	@@ -33,6 +33,7 @@ v 7.0.0
33	33	- Overall performance improvements
34	34	- Skip init script check on omnibus-gitlab
35	35	- Be more selective when killing stray Sidekiqs
	36	+ - Check LDAP user filter during sign-in
36	37
37	38	v 6.9.2
38	39	- Revert the commit that broke the LDAP user filter
...	...
...	...	@@ -20,7 +20,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
20	20	# if the authentication to LDAP was successful.
21	21	@user = Gitlab::LDAP::User.find_or_create(oauth)
22	22	@user.remember_me = true if @user.persisted?
23		- sign_in_and_redirect(@user)
	23	+
	24	+ gitlab_ldap_access do \|access\|
	25	+ if access.allowed?(@user)
	26	+ sign_in_and_redirect(@user)
	27	+ else
	28	+ flash[:alert] = "Access denied for your LDAP account."
	29	+ redirect_to new_user_session_path
	30	+ end
	31	+ end
24	32	end
25	33
26	34	private
...	...