Commit cb71b263 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'ldap_allow_email' into 'master'

Avoid ldap.allow_username_or_email_login issues

See merge request !1016
parents f2befb69 1526ddce
......@@ -9,6 +9,7 @@ v 7.3.0
- Prevent project stars duplication when fork project
- Support Unix domain sockets for Redis
- Store session Redis keys in 'session:gitlab:' namespace
- Deprecate LDAP account takeover based on partial LDAP email / GitLab username match
v 7.2.0
- Explore page
......
......@@ -143,7 +143,7 @@ production: &base
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: true
allow_username_or_email_login: false
# Base where we can search for users
#
......
......@@ -26,7 +26,7 @@ module Gitlab
# * When user already has account and need to link their LDAP account.
# * LDAP uid changed for user with same email and we need to update their uid
#
user = find_user(email)
user = model.find_by(email: email)
if user
user.update_attributes(extern_uid: uid, provider: provider)
......@@ -43,21 +43,6 @@ module Gitlab
user
end
def find_user(email)
user = model.find_by(email: email)
# If no user found and allow_username_or_email_login is true
# we look for user by extracting part of their email
if !user && email && ldap_conf['allow_username_or_email_login']
uname = email.partition('@').first
# Strip apostrophes since they are disallowed as part of username
username = uname.gsub("'", "")
user = model.find_by(username: username)
end
user
end
def authenticate(login, password)
# Check user against LDAP backend if user is not authenticated
# Only check with valid login and password to prevent anonymous bind results
......
......@@ -31,18 +31,6 @@ describe Gitlab::LDAP do
gl_auth.find_or_create(@auth)
end
it "should update credentials by username if missing uid and Gitlab.config.ldap.allow_username_or_email_login is true" do
user = double('User')
value = Gitlab.config.ldap.allow_username_or_email_login
Gitlab.config.ldap['allow_username_or_email_login'] = true
User.stub find_by_extern_uid_and_provider: nil
User.stub(:find_by).with(hash_including(email: anything())) { nil }
User.stub(:find_by).with(hash_including(username: anything())) { user }
user.should_receive :update_attributes
gl_auth.find_or_create(@auth)
Gitlab.config.ldap['allow_username_or_email_login'] = value
end
it "should not update credentials by username if missing uid and Gitlab.config.ldap.allow_username_or_email_login is false" do
user = double('User')
value = Gitlab.config.ldap.allow_username_or_email_login
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment