Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
4530f5d0
Commit
4530f5d0
authored
May 31, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee
parent
15c040a6
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
42 additions
and
48 deletions
+42
-48
app/controllers/oauth/authorizations_controller.rb
app/controllers/oauth/authorizations_controller.rb
+2
-1
app/views/doorkeeper/authorizations/redirect.html.haml
app/views/doorkeeper/authorizations/redirect.html.haml
+7
-0
locale/gitlab.pot
locale/gitlab.pot
+3
-0
spec/controllers/oauth/authorizations_controller_spec.rb
spec/controllers/oauth/authorizations_controller_spec.rb
+30
-47
No files found.
app/controllers/oauth/authorizations_controller.rb
View file @
4530f5d0
...
...
@@ -14,8 +14,9 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
if
pre_auth
.
authorizable?
if
skip_authorization?
||
matching_token?
auth
=
authorization
.
authorize
parsed_redirect_uri
=
URI
.
parse
(
auth
.
redirect_uri
)
session
.
delete
(
:user_return_to
)
re
direct_to
auth
.
redirect_uri
re
nder
"doorkeeper/authorizations/redirect"
,
locals:
{
redirect_uri:
parsed_redirect_uri
},
layout:
false
else
render
"doorkeeper/authorizations/new"
end
...
...
app/views/doorkeeper/authorizations/redirect.html.haml
0 → 100644
View file @
4530f5d0
%h3
.page-title
=
_
(
"Redirecting"
)
%div
%a
{
:href
=>
redirect_uri
}
Click here to redirect to
#{
redirect_uri
}
:javascript
window
.
location
=
"
#{
redirect_uri
}
"
;
locale/gitlab.pot
View file @
4530f5d0
...
...
@@ -26967,6 +26967,9 @@ msgstr ""
msgid "Redirect to SAML provider to test configuration"
msgstr ""
msgid "Redirecting"
msgstr ""
msgid "Redis"
msgstr ""
...
...
spec/controllers/oauth/authorizations_controller_spec.rb
View file @
4530f5d0
...
...
@@ -70,76 +70,59 @@ RSpec.describe Oauth::AuthorizationsController do
describe
'GET #new'
do
subject
{
get
:new
,
params:
params
}
include_examples
'OAuth Authorizations require confirmed user'
include_examples
"Implicit grant can't be used in confidential application"
context
'rendering of views based on the ownership of the application'
do
shared_examples
'render views'
do
render_views
it
'returns 200 and renders view with correct info'
,
:aggregate_failures
do
subject
context
'when the user is confirmed'
do
let
(
:confirmed_at
)
{
1
.
hour
.
ago
}
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
.
body
).
to
include
(
application
.
owner
.
name
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/new'
)
end
end
context
'when there is already an access token for the application with a matching scope'
do
before
do
scopes
=
Doorkeeper
::
OAuth
::
Scopes
.
from_string
(
'api'
)
subject
{
get
:new
,
params:
params
}
allow
(
Doorkeeper
.
configuration
).
to
receive
(
:scopes
).
and_return
(
scopes
)
context
'when auth app owner is a user'
do
context
'with valid params'
do
it_behaves_like
'render views'
create
(
:oauth_access_token
,
application:
application
,
resource_owner_id:
user
.
id
,
scopes:
scopes
)
end
end
context
'when auth app owner is a group'
do
let
(
:group
)
{
create
(
:group
)
}
context
'when auth app owner is a root group
'
do
let
(
:application
)
{
create
(
:oauth_application
,
owner_id:
group
.
id
,
owner_type:
'Namespace'
)
}
it
'authorizes the request and shows the user a page that redirects
'
do
subject
it_behaves_like
'render views'
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/redirect'
)
end
end
context
'when auth app owner is a subgroup
'
do
let
(
:subgroup
)
{
create
(
:group
,
parent:
group
)
}
let
(
:application
)
{
create
(
:oauth_application
,
owner_id:
subgroup
.
id
,
owner_type:
'Namespace'
)
}
context
'without valid params
'
do
it
'returns 200 code and renders error view'
do
get
:new
it_behaves_like
'render views'
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
context
'w
hen there is no owner associated
'
do
let
(
:application
)
{
create
(
:oauth_application
,
owner_id:
nil
,
owner_type:
nil
)
}
context
'w
ith valid params
'
do
render_views
it
'renders view'
do
it
're
turns 200 code and re
nders view'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/new'
)
end
end
end
context
'without valid params
'
do
it
'returns 200 code and renders error view'
do
get
:new
it
'deletes session.user_return_to and redirects when skip authorization
'
do
application
.
update!
(
trusted:
true
)
request
.
session
[
'user_return_to'
]
=
'http://example.com'
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/error'
)
end
end
it
'deletes session.user_return_to and redirects when skip authorization'
do
application
.
update!
(
trusted:
true
)
request
.
session
[
'user_return_to'
]
=
'http://example.com'
subject
subject
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:found
)
expect
(
request
.
session
[
'user_return_to'
]).
to
be_nil
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
response
).
to
render_template
(
'doorkeeper/authorizations/redirect'
)
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment