diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/admin/users_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/concerns/impersonation.rb | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 55e03503ba9..cdfb3a32f4c 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -49,6 +49,7 @@ class Admin::UsersController < Admin::ApplicationController session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) + clear_access_token_session_keys! log_impersonation_event diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb index 0764fbc8eb3..539dd9ad69d 100644 --- a/app/controllers/concerns/impersonation.rb +++ b/app/controllers/concerns/impersonation.rb @@ -3,6 +3,12 @@ module Impersonation include Gitlab::Utils::StrongMemoize + SESSION_KEYS_TO_DELETE = %w( + github_access_token gitea_access_token gitlab_access_token + bitbucket_token bitbucket_refresh_token bitbucket_server_personal_access_token + bulk_import_gitlab_access_token fogbugz_token + ).freeze + def current_user user = super @@ -27,6 +33,7 @@ module Impersonation warden.set_user(impersonator, scope: :user) session[:impersonator_id] = nil + clear_access_token_session_keys! current_user end @@ -39,6 +46,12 @@ module Impersonation Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}") end + def clear_access_token_session_keys! + access_tokens_keys = session.keys & SESSION_KEYS_TO_DELETE + + access_tokens_keys.each { |key| session.delete(key) } + end + def impersonator strong_memoize(:impersonator) do User.find(session[:impersonator_id]) if session[:impersonator_id] |