Commit e17bff08 authored by Markus Koller's avatar Markus Koller

Merge branch '243444-user-cannot-sign-out-of-gitlab-once-admin-resets-their-password' into 'master'

Resolve "User cannot sign out of GitLab once admin resets their password."

See merge request gitlab-org/gitlab!40830
parents 6999d743 1cd37602
...@@ -10,6 +10,8 @@ class SessionsController < Devise::SessionsController ...@@ -10,6 +10,8 @@ class SessionsController < Devise::SessionsController
include KnownSignIn include KnownSignIn
skip_before_action :check_two_factor_requirement, only: [:destroy] skip_before_action :check_two_factor_requirement, only: [:destroy]
skip_before_action :check_password_expiration, only: [:destroy]
# replaced with :require_no_authentication_without_flash # replaced with :require_no_authentication_without_flash
skip_before_action :require_no_authentication, only: [:new, :create] skip_before_action :require_no_authentication, only: [:new, :create]
......
---
title: Allow users with expired passwords to sign out
merge_request: 40830
author:
type: fixed
...@@ -6,11 +6,11 @@ RSpec.describe SessionsController do ...@@ -6,11 +6,11 @@ RSpec.describe SessionsController do
include DeviseHelpers include DeviseHelpers
include LdapHelpers include LdapHelpers
describe '#new' do before do
before do set_devise_mapping(context: @request)
set_devise_mapping(context: @request) end
end
describe '#new' do
context 'when auto sign-in is enabled' do context 'when auto sign-in is enabled' do
before do before do
stub_omniauth_setting(auto_sign_in_with_provider: :saml) stub_omniauth_setting(auto_sign_in_with_provider: :saml)
...@@ -59,13 +59,19 @@ RSpec.describe SessionsController do ...@@ -59,13 +59,19 @@ RSpec.describe SessionsController do
end end
end end
end end
end
describe '#create' do it "redirects correctly for referer on same host with params" do
before do host = "test.host"
set_devise_mapping(context: @request) search_path = "/search?search=seed_project"
request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
get(:new, params: { redirect_to_referer: :yes })
expect(controller.stored_location_for(:redirect)).to eq(search_path)
end end
end
describe '#create' do
it_behaves_like 'known sign in' do it_behaves_like 'known sign in' do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) } let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) }
...@@ -439,25 +445,8 @@ RSpec.describe SessionsController do ...@@ -439,25 +445,8 @@ RSpec.describe SessionsController do
end end
end end
describe "#new" do
before do
set_devise_mapping(context: @request)
end
it "redirects correctly for referer on same host with params" do
host = "test.host"
search_path = "/search?search=seed_project"
request.headers[:HTTP_REFERER] = "http://#{host}#{search_path}"
get(:new, params: { redirect_to_referer: :yes })
expect(controller.stored_location_for(:redirect)).to eq(search_path)
end
end
context 'when login fails' do context 'when login fails' do
before do before do
set_devise_mapping(context: @request)
@request.env["warden.options"] = { action: 'unauthenticated' } @request.env["warden.options"] = { action: 'unauthenticated' }
end end
...@@ -471,10 +460,6 @@ RSpec.describe SessionsController do ...@@ -471,10 +460,6 @@ RSpec.describe SessionsController do
describe '#set_current_context' do describe '#set_current_context' do
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
before do
set_devise_mapping(context: @request)
end
context 'when signed in' do context 'when signed in' do
before do before do
sign_in(user) sign_in(user)
...@@ -528,4 +513,21 @@ RSpec.describe SessionsController do ...@@ -528,4 +513,21 @@ RSpec.describe SessionsController do
end end
end end
end end
describe '#destroy' do
before do
sign_in(user)
end
context 'for a user whose password has expired' do
let(:user) { create(:user, password_expires_at: 2.days.ago) }
it 'allows to sign out successfully' do
delete :destroy
expect(response).to redirect_to(new_user_session_path)
expect(controller.current_user).to be_nil
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment