Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-01-06 22:21:00 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-01-06 22:21:00 +0300
commit: fa70ce1068babe592d348497c772f1b5160cbb6e (patch)
tree: 88e00024a01cd6464afc88150a378f3e1de5bc7e /app
parent: bd200951d7e928b84bd5b4ef1210a56d688a03c9 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index 6e8686ee90b..ade698baa7f 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -24,6 +24,17 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
     end
   end
 
+  def create
+    # Confidential apps require the client_secret to be sent with the request.
+    # Doorkeeper allows implicit grant flow requests (response_type=token) to
+    # work without client_secret regardless of the confidential setting.
+    if pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential
+      render "doorkeeper/authorizations/error"
+    else
+      super
+    end
+  end
+
   private
 
   def verify_confirmed_email!
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-01-06 22:21:00 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-01-06 22:21:00 +0300
commit	fa70ce1068babe592d348497c772f1b5160cbb6e (patch)
tree	88e00024a01cd6464afc88150a378f3e1de5bc7e /app
parent	bd200951d7e928b84bd5b4ef1210a56d688a03c9 (diff)