Dont allow LDAP users to change password inside GitLab

1 files changed, 12 insertions, 3 deletions

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index f0d69f11184..686edd8af80 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -2,6 +2,9 @@ class ProfilesController < ApplicationController
   include ActionView::Helpers::SanitizeHelper
 
   before_filter :user
+  before_filter :authorize_change_password!, only: :update_password
+  before_filter :authorize_change_username!, only: :update_username
+
   layout 'profile'
 
   def show
@@ -53,9 +56,7 @@ class ProfilesController < ApplicationController
   end
 
   def update_username
-    if @user.can_change_username?
-      @user.update_attributes(username: params[:user][:username])
-    end
+    @user.update_attributes(username: params[:user][:username])
 
     respond_to do |format|
       format.js
@@ -80,4 +81,12 @@ class ProfilesController < ApplicationController
 
     user_attributes
   end
+
+  def authorize_change_password!
+    return render_404 if @user.ldap_user?
+  end
+
+  def authorize_change_username!
+    return render_404 unless @user.can_change_username?
+  end
 end