• Markus Koller's avatar
    Don't allow blocked users to authenticate through other means · 93daeee1
    Markus Koller authored
    Gitlab::Auth.find_with_user_password is currently used in these places:
    
    - resource_owner_from_credentials in config/initializers/doorkeeper.rb,
      which is used for the OAuth Resource Owner Password Credentials flow
    
    - the /session API call in lib/api/session.rb, which is used to reveal
      the user's current authentication_token
    
    In both cases users should only be authenticated if they're in the
    active state.
    93daeee1
auth.rb 6.48 KB