Add latest changes from gitlab-org/gitlab@15-6-stable-eev15.6.0-rc42

1 files changed, 16 insertions, 1 deletions

diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index bf8b61db2e5..43bf895ea76 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include InitializesCurrentUserMode
   include Gitlab::Utils::StrongMemoize
 
-  before_action :verify_confirmed_email!
+  before_action :verify_confirmed_email!, :verify_admin_allowed!
 
   layout 'profile'
 
@@ -97,4 +97,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
     pre_auth.error = :unconfirmed_email
     render "doorkeeper/authorizations/error"
   end
+
+  def verify_admin_allowed!
+    render "doorkeeper/authorizations/forbidden" if disallow_connect?
+  end
+
+  def disallow_connect?
+    # we're disabling Cop/UserAdmin as OAuth tokens don't seem to respect admin mode
+    current_user&.admin? && Gitlab::CurrentSettings.disable_admin_oauth_scopes && dangerous_scopes? # rubocop:disable Cop/UserAdmin
+  end
+
+  def dangerous_scopes?
+    doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPE, *::Gitlab::Auth::READ_API_SCOPE,
+                                             *::Gitlab::Auth::ADMIN_SCOPES, *::Gitlab::Auth::REPOSITORY_SCOPES,
+                                             *::Gitlab::Auth::REGISTRY_SCOPES) && !doorkeeper_application&.trusted?
+  end
 end