Merge branch 'disable-saml-account-unlink' into 'master'

Disable the unlink feature for SAML connected accounts (social login).

This disables the ability to manually unlink your SAML account, if you have one connected. In certain scenarios, the only allowed login mechanism can be SAML, and if you unlink your account you will be locked out of the system (configuration dependent).

Fixes #18613

See merge request !4662

1 files changed, 26 insertions, 0 deletions

diff --git a/spec/controllers/profiles/accounts_controller_spec.rb b/spec/controllers/profiles/accounts_controller_spec.rb
new file mode 100644
index 00000000000..4eafc11abaa
--- /dev/null
+++ b/spec/controllers/profiles/accounts_controller_spec.rb
@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe Profiles::AccountsController do
+
+  let(:user) { create(:omniauth_user, provider: 'saml') }
+
+  before do
+    sign_in(user)
+  end
+
+  it 'does not allow to unlink SAML connected account' do
+    identity = user.identities.last
+    delete :unlink, provider: 'saml'
+    updated_user = User.find(user.id)
+
+    expect(response.status).to eq(302)
+    expect(updated_user.identities.size).to eq(1)
+    expect(updated_user.identities).to include(identity)
+  end
+
+  it 'does allow to delete other linked accounts' do
+    user.identities.create(provider: 'twitter', extern_uid: 'twitter_123')
+
+    expect { delete :unlink, provider: 'twitter' }.to change(Identity.all, :size).by(-1)
+  end
+end