diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-14 18:10:46 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-14 18:10:46 +0300 |
| commit | 8106ac487c3b52471e2ca894c65c13162c2fb1a8 (patch) | |
| tree | 12a07c7dd794babe870477f3cd42f15392a82355 /app/controllers | |
| parent | 18873553de98259d0558157f78198b38ddd02b31 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/admin/projects_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/oauth/authorizations_controller.rb | 23 |
2 files changed, 16 insertions, 11 deletions
diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb index c4564478462..39718793c1d 100644 --- a/app/controllers/admin/projects_controller.rb +++ b/app/controllers/admin/projects_controller.rb @@ -57,6 +57,10 @@ class Admin::ProjectsController < Admin::ApplicationController namespace = Namespace.find_by(id: params[:new_namespace_id]) ::Projects::TransferService.new(@project, current_user, params.dup).execute(namespace) + if @project.errors[:new_namespace].present? + flash[:alert] = @project.errors[:new_namespace].first + end + @project.reset redirect_to admin_project_path(@project) end diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index ade698baa7f..857f36e3833 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -4,7 +4,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController include Gitlab::Experimentation::ControllerConcern include InitializesCurrentUserMode - before_action :verify_confirmed_email! + before_action :verify_confirmed_email!, :verify_confidential_application! layout 'profile' @@ -24,18 +24,19 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end end - def create - # Confidential apps require the client_secret to be sent with the request. - # Doorkeeper allows implicit grant flow requests (response_type=token) to - # work without client_secret regardless of the confidential setting. - if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential - render "doorkeeper/authorizations/error" - else - super - end + private + + # Confidential apps require the client_secret to be sent with the request. + # Doorkeeper allows implicit grant flow requests (response_type=token) to + # work without client_secret regardless of the confidential setting. + # This leads to security vulnerabilities and we want to block it. + def verify_confidential_application! + render 'doorkeeper/authorizations/error' if authorizable_confidential? end - private + def authorizable_confidential? + pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential + end def verify_confirmed_email! return if current_user&.confirmed? |