diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-29 18:58:14 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-29 18:58:14 +0300 |
| commit | a7329f4372f4e0bc2c5d9af5b6d30cb4ad94ad7d (patch) | |
| tree | 9b387d2fc6d0b20efab499bc55c3bbce026da2c8 /app/controllers/application_controller.rb | |
| parent | a0043682b500ce39ff4eba00e8c1cecc64819ea1 (diff) | |
| parent | 8395032721f6d6cb26126a5bffcb42984a240c07 (diff) | |
Merge branch 'security-remove-leaky-401-responses-master' into 'master'
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3454
Diffstat (limited to 'app/controllers/application_controller.rb')
| -rw-r--r-- | app/controllers/application_controller.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1443a71f6b1..27e88ae569e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -16,7 +16,7 @@ class ApplicationController < ActionController::Base include Gitlab::Tracking::ControllerConcern include Gitlab::Experimentation::ControllerConcern - before_action :authenticate_user! + before_action :authenticate_user!, except: [:route_not_found] before_action :enforce_terms!, if: :should_enforce_terms? before_action :validate_user_service_ticket! before_action :check_password_expiration @@ -97,7 +97,9 @@ class ApplicationController < ActionController::Base if current_user not_found else - authenticate_user! + store_location_for(:user, request.fullpath) unless request.xhr? + + redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated') end end |