Remove LDAP::Access#find_user

This method existed to allow LDAP users to take over existing GitLab
accounts if the part before the '@' of their LDAP email attribute
matched the username of an existing GitLab user. I propose to disable
this behavior in order to prevent unintended GitLab account takeovers.

After this change it is still possible to take over an existing GitLab
account with your LDAP credentials, as long as the GitLab account email
address matches the LDAP user email address.

1 files changed, 0 insertions, 12 deletions

diff --git a/spec/lib/gitlab/ldap/ldap_user_auth_spec.rb b/spec/lib/gitlab/ldap/ldap_user_auth_spec.rb
index 501642dca79..1d3df52f0c2 100644
--- a/spec/lib/gitlab/ldap/ldap_user_auth_spec.rb
+++ b/spec/lib/gitlab/ldap/ldap_user_auth_spec.rb
@@ -31,18 +31,6 @@ describe Gitlab::LDAP do
       gl_auth.find_or_create(@auth)
     end
 
-    it "should update credentials by username if missing uid and Gitlab.config.ldap.allow_username_or_email_login is true" do
-      user = double('User')
-      value = Gitlab.config.ldap.allow_username_or_email_login
-      Gitlab.config.ldap['allow_username_or_email_login'] = true
-      User.stub find_by_extern_uid_and_provider: nil
-      User.stub(:find_by).with(hash_including(email: anything())) { nil }
-      User.stub(:find_by).with(hash_including(username: anything())) { user }
-      user.should_receive :update_attributes
-      gl_auth.find_or_create(@auth)
-      Gitlab.config.ldap['allow_username_or_email_login'] = value
-    end
-
     it "should not update credentials by username if missing uid and Gitlab.config.ldap.allow_username_or_email_login is false" do
       user = double('User')
       value = Gitlab.config.ldap.allow_username_or_email_login