Commit c847f172 authored by Robert Speicher's avatar Robert Speicher Committed by Jan Provaznik

Merge branch 'fix_pat_auth-11-4' into 'security-11-4'

[11.4] Fix Token lookup for Git over HTTP and registry authentication

See merge request gitlab/gitlabhq!2577
parent 5091cc4f
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
class PersonalAccessTokensFinder class PersonalAccessTokensFinder
attr_accessor :params attr_accessor :params
delegate :build, :find, :find_by, to: :execute delegate :build, :find, :find_by, :find_by_token, to: :execute
def initialize(params = {}) def initialize(params = {})
@params = params @params = params
......
...@@ -463,7 +463,7 @@ class User < ActiveRecord::Base ...@@ -463,7 +463,7 @@ class User < ActiveRecord::Base
def find_by_personal_access_token(token_string) def find_by_personal_access_token(token_string)
return unless token_string return unless token_string
PersonalAccessTokensFinder.new(state: 'active').find_by(token: token_string)&.user # rubocop: disable CodeReuse/Finder PersonalAccessTokensFinder.new(state: 'active').find_by_token(token_string)&.user # rubocop: disable CodeReuse/Finder
end end
# Returns a user for the given SSH key. # Returns a user for the given SSH key.
......
...@@ -151,17 +151,15 @@ module Gitlab ...@@ -151,17 +151,15 @@ module Gitlab
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def personal_access_token_check(password) def personal_access_token_check(password)
return unless password.present? return unless password.present?
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password) token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)
if token && valid_scoped_token?(token, available_scopes) if token && valid_scoped_token?(token, available_scopes)
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end end
end end
# rubocop: enable CodeReuse/ActiveRecord
def valid_oauth_token?(token) def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, [:api]) token && token.accessible? && valid_scoped_token?(token, [:api])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment