From 95328dd30a55cb66da05352131e7a981b44e1348 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Sep 2021 13:00:00 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

---
 app/controllers/admin/users_controller.rb        | 6 ++----
 app/controllers/concerns/impersonation.rb        | 6 +-----
 app/controllers/profiles/passwords_controller.rb | 8 --------
 3 files changed, 3 insertions(+), 17 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index cdfb3a32f4c..dfc1434d909 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -45,7 +45,7 @@ class Admin::UsersController < Admin::ApplicationController
   end
 
   def impersonate
-    if can?(user, :log_in) && !impersonation_in_progress?
+    if can?(user, :log_in)
       session[:impersonator_id] = current_user.id
 
       warden.set_user(user, scope: :user)
@@ -58,9 +58,7 @@ class Admin::UsersController < Admin::ApplicationController
       redirect_to root_path
     else
       flash[:alert] =
-        if impersonation_in_progress?
-          _("You are already impersonating another user")
-        elsif user.blocked?
+        if user.blocked?
           _("You cannot impersonate a blocked user")
         elsif user.internal?
           _("You cannot impersonate an internal user")
diff --git a/app/controllers/concerns/impersonation.rb b/app/controllers/concerns/impersonation.rb
index 539dd9ad69d..a8788e7f8bd 100644
--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -20,7 +20,7 @@ module Impersonation
   protected
 
   def check_impersonation_availability
-    return unless impersonation_in_progress?
+    return unless session[:impersonator_id]
 
     unless Gitlab.config.gitlab.impersonation_enabled
       stop_impersonation
@@ -38,10 +38,6 @@ module Impersonation
     current_user
   end
 
-  def impersonation_in_progress?
-    session[:impersonator_id].present?
-  end
-
   def log_impersonation_event
     Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
   end
diff --git a/app/controllers/profiles/passwords_controller.rb b/app/controllers/profiles/passwords_controller.rb
index c8c2dd1c7d6..85e901eb3eb 100644
--- a/app/controllers/profiles/passwords_controller.rb
+++ b/app/controllers/profiles/passwords_controller.rb
@@ -47,8 +47,6 @@ class Profiles::PasswordsController < Profiles::ApplicationController
     password_attributes[:password_automatically_set] = false
 
     unless @user.password_automatically_set || @user.valid_password?(user_params[:current_password])
-      handle_invalid_current_password_attempt!
-
       redirect_to edit_profile_password_path, alert: _('You must provide a valid current password')
       return
     end
@@ -87,12 +85,6 @@ class Profiles::PasswordsController < Profiles::ApplicationController
     render_404 unless @user.allow_password_authentication?
   end
 
-  def handle_invalid_current_password_attempt!
-    Gitlab::AppLogger.info(message: 'Invalid current password when attempting to update user password', username: @user.username, ip: request.remote_ip)
-
-    @user.increment_failed_attempts!
-  end
-
   def user_params
     params.require(:user).permit(:current_password, :password, :password_confirmation)
   end
-- 
cgit v1.2.3