Rémy Coutable
a16d7e414d
Revert Rails.application.env_config after using mock_auth_hash
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2019-04-23 21:11:08 +02:00
gfyoung
93a44e135b
Add some frozen string to spec/**/*.rb
...
Adds frozen string to the following:
* spec/bin/**/*.rb
* spec/config/**/*.rb
* spec/controllers/**/*.rb
xref https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
2019-04-15 10:17:05 +00:00
Thong Kuah
4ec16912b8
Autocorrect with RSpec/ExampleWording cop
...
- rewords examples starting with 'should'
- rewords examples starting with 'it'
Note: I had to manually fixup "onlies" to "only"
2019-04-05 08:43:27 +00:00
Pavel Shutsin
8ee1927db9
Move out link\unlink ability checks to a policy
...
We can extend the policy in EE for additional behavior
2019-03-19 15:38:16 +03:00
Yorick Peterse
040e6e72bf
Merge branch 'ce-security-jej/group-saml-link-origin-verification' into 'master'
...
Ensure request to link GroupSAML acount was GitLab initiated
See merge request gitlab/gitlabhq!2976
2019-03-04 18:36:26 +00:00
James Edwards-Jones
6548e01f18
Avoid CSRF check on SAML failure endpoint
...
SAML and OAuth failures should cause a message to be presented, as well
as logging that an attempt was made. These were incorrectly prevented by
the CSRF check on POST endpoints such as SAML.
In addition we were using a NullSession forgery protection, which made
testing more difficult and could have allowed account linking to take
place if a CSRF was ever needed but not present.
2019-02-04 10:10:51 +00:00
James Edwards-Jones
104c8b890d
Backport EE GroupSAML origin verification changes
2019-01-23 19:42:16 +00:00
Jasper Maes
4361c92b6a
Update gitlab-styles to 2.5.1
2019-01-11 23:59:35 +01:00
Scott Escue
6540a9468a
Preserve URL fragment across sign-in and sign-up redirects
...
If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2019-01-10 00:00:38 -06:00
Yorick Peterse
9606dbbb03
Whitelist existing destroy_all offenses
...
This whitelists all existing places where we use "destroy_all".
2018-08-16 17:29:37 +02:00
Roger Rüttimann
2efe27ba18
Honor saml assurance level to allow 2FA bypassing
2018-06-25 15:32:03 +00:00
Tiago Botelho
161a05b963
Writes specs
2018-03-22 16:05:15 +00:00
James Lopez
140cb0c092
Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6'
...
[10.6] Fix GitLab Auth0 integration signs in the wrong user
See merge request gitlab/gitlabhq!2354
2018-03-21 14:43:47 +00:00
Robert Speicher
4493ec0880
Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3'
...
[10.3] Prevent login with disabled OAuth providers
See merge request gitlab/gitlabhq!2296
(cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c)
a0f9d222 Prevents login with disabled OAuth providers
2018-01-16 17:05:01 -08:00