diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-17 14:33:21 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-17 14:33:21 +0300 |
commit | 7021455bd1ed7b125c55eb1b33c5a01f2bc55ee0 (patch) | |
tree | 5bdc2229f5198d516781f8d24eace62fc7e589e9 /app/controllers/oauth | |
parent | 185b095e93520f96e9cfc31d9c3e69b498cdab7c (diff) |
Add latest changes from gitlab-org/gitlab@15-6-stable-eev15.6.0-rc42
Diffstat (limited to 'app/controllers/oauth')
-rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index bf8b61db2e5..43bf895ea76 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController include InitializesCurrentUserMode include Gitlab::Utils::StrongMemoize - before_action :verify_confirmed_email! + before_action :verify_confirmed_email!, :verify_admin_allowed! layout 'profile' @@ -97,4 +97,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController pre_auth.error = :unconfirmed_email render "doorkeeper/authorizations/error" end + + def verify_admin_allowed! + render "doorkeeper/authorizations/forbidden" if disallow_connect? + end + + def disallow_connect? + # we're disabling Cop/UserAdmin as OAuth tokens don't seem to respect admin mode + current_user&.admin? && Gitlab::CurrentSettings.disable_admin_oauth_scopes && dangerous_scopes? # rubocop:disable Cop/UserAdmin + end + + def dangerous_scopes? + doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPE, *::Gitlab::Auth::READ_API_SCOPE, + *::Gitlab::Auth::ADMIN_SCOPES, *::Gitlab::Auth::REPOSITORY_SCOPES, + *::Gitlab::Auth::REGISTRY_SCOPES) && !doorkeeper_application&.trusted? + end end |