Check LDAP user filter during sign-in

author: Jacob Vosmaer <contact@jacobvosmaer.nl> 2014-06-12 16:01:23 +0200
committer: Jacob Vosmaer <contact@jacobvosmaer.nl> 2014-06-13 08:14:34 +0200
commit: 8761dd2a6fb2e19556fbfaa30ab211c1f09f3e29 (patch)
tree: 36d6dbed52a5bfd964c861fa1b9cbdcc62135a17
parent: a5cbb4cb82a6911b5c1de117ae6ed4cbf667a679 (diff)
download: gitlab-ce-8761dd2a6fb2e19556fbfaa30ab211c1f09f3e29.tar.gz
2 files changed, 10 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 2e4736a0803..7279b7c8c06 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -33,6 +33,7 @@ v 7.0.0
   - Overall performance improvements
   - Skip init script check on omnibus-gitlab
   - Be more selective when killing stray Sidekiqs
+  - Check LDAP user filter during sign-in
 
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 7131e0fe181..0c87fe0d9ae 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -20,7 +20,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     # if the authentication to LDAP was successful.
     @user = Gitlab::LDAP::User.find_or_create(oauth)
     @user.remember_me = true if @user.persisted?
-    sign_in_and_redirect(@user)
+
+    gitlab_ldap_access do |access|
+      if access.allowed?(@user)
+        sign_in_and_redirect(@user)
+      else
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
+    end
   end
 
   private
author	Jacob Vosmaer <contact@jacobvosmaer.nl>	2014-06-12 16:01:23 +0200
committer	Jacob Vosmaer <contact@jacobvosmaer.nl>	2014-06-13 08:14:34 +0200
commit	8761dd2a6fb2e19556fbfaa30ab211c1f09f3e29 (patch)
tree	36d6dbed52a5bfd964c861fa1b9cbdcc62135a17
parent	a5cbb4cb82a6911b5c1de117ae6ed4cbf667a679 (diff)
download	gitlab-ce-8761dd2a6fb2e19556fbfaa30ab211c1f09f3e29.tar.gz