Commit 8761dd2a6fb2e19556fbfaa30ab211c1f09f3e29
1 parent
a5cbb4cb
Exists in
spb-stable
and in
2 other branches
Check LDAP user filter during sign-in
Showing
2 changed files
with
10 additions
and
1 deletions
Show diff stats
CHANGELOG
| @@ -33,6 +33,7 @@ v 7.0.0 | @@ -33,6 +33,7 @@ v 7.0.0 | ||
| 33 | - Overall performance improvements | 33 | - Overall performance improvements |
| 34 | - Skip init script check on omnibus-gitlab | 34 | - Skip init script check on omnibus-gitlab |
| 35 | - Be more selective when killing stray Sidekiqs | 35 | - Be more selective when killing stray Sidekiqs |
| 36 | + - Check LDAP user filter during sign-in | ||
| 36 | 37 | ||
| 37 | v 6.9.2 | 38 | v 6.9.2 |
| 38 | - Revert the commit that broke the LDAP user filter | 39 | - Revert the commit that broke the LDAP user filter |
app/controllers/omniauth_callbacks_controller.rb
| @@ -20,7 +20,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController | @@ -20,7 +20,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController | ||
| 20 | # if the authentication to LDAP was successful. | 20 | # if the authentication to LDAP was successful. |
| 21 | @user = Gitlab::LDAP::User.find_or_create(oauth) | 21 | @user = Gitlab::LDAP::User.find_or_create(oauth) |
| 22 | @user.remember_me = true if @user.persisted? | 22 | @user.remember_me = true if @user.persisted? |
| 23 | - sign_in_and_redirect(@user) | 23 | + |
| 24 | + gitlab_ldap_access do |access| | ||
| 25 | + if access.allowed?(@user) | ||
| 26 | + sign_in_and_redirect(@user) | ||
| 27 | + else | ||
| 28 | + flash[:alert] = "Access denied for your LDAP account." | ||
| 29 | + redirect_to new_user_session_path | ||
| 30 | + end | ||
| 31 | + end | ||
| 24 | end | 32 | end |
| 25 | 33 | ||
| 26 | private | 34 | private |