Move out link\unlink ability checks to a policy

We can extend the policy in EE for additional behavior
author: Pavel Shutsin <pshutsin@gitlab.com> 2019-03-18 17:36:34 +0300
committer: Pavel Shutsin <pshutsin@gitlab.com> 2019-03-19 15:38:16 +0300
commit: 8ee1927db90d43205b4e6f8bd13f209c74b41bd1 (patch)
tree: 247e5f813947c1bdeb838e2776835208e6a7e2bc /app/controllers/omniauth_callbacks_controller.rb
parent: a4b18040778d7272bd8fbbb3746e199699ffd893 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index cc2bb99f55b..e90e8278c13 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -3,6 +3,7 @@
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include AuthenticatesWithTwoFactor
   include Devise::Controllers::Rememberable
+  include AuthHelper
 
   protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
 
@@ -80,10 +81,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     end
 
     if current_user
+      return render_403 unless link_provider_allowed?(oauth['provider'])
+
       log_audit_event(current_user, with: oauth['provider'])
 
       identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth)
-
       identity_linker.link
 
       if identity_linker.changed?
author	Pavel Shutsin <pshutsin@gitlab.com>	2019-03-18 17:36:34 +0300
committer	Pavel Shutsin <pshutsin@gitlab.com>	2019-03-19 15:38:16 +0300
commit	8ee1927db90d43205b4e6f8bd13f209c74b41bd1 (patch)
tree	247e5f813947c1bdeb838e2776835208e6a7e2bc /app/controllers/omniauth_callbacks_controller.rb
parent	a4b18040778d7272bd8fbbb3746e199699ffd893 (diff)