When sign-in is disabled:
- skip password expiration checks
- prevent password reset requests
- don’t show Password tab in User Settings
- don’t allow login with username/password for Git over HTTP requests
- render 404 on requests to Profiles::PasswordsController
If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.
* The spec has 7 failures at this point
* Specify rendered error messages
* Render the GitAccess message rather than “Access denied”
* Render the Not Found message provided by GitAccess, instead of a custom one
* Expect GitAccess to check the config for whether Git-over-HTTP pull or push is disabled, rather than doing it in the controller
* Add more thorough testing for authentication
* Dried up a lot of tests
* Fixed some broken tests
- We currently support fetching code with username = 'oauth2' and
password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
error.
- There's no reason this shouldn't be enabled, especially since we allow the
OAuth client to create deploy keys with push access:
https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key
Gitlab::Auth.find_with_user_password is currently used in these places:
- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
which is used for the OAuth Resource Owner Password Credentials flow
- the /session API call in lib/api/session.rb, which is used to reveal
the user's current authentication_token
In both cases users should only be authenticated if they're in the
active state.
* upstream/master: (538 commits)
Reject blank environment vcariables in Gitlab::Git::RevList
Add online terminal documentation
Add changelog entry
Add terminal UI and controller actions
Fix specs
Even out padding on plus button in breadcrumb menu
Update font size of detail page header to 14px
Update CHANGELOG.md for 8.13.10
Update CHANGELOG.md for 8.14.5
Fix Route#rename_children behavior
Remove inline-block styling from status
Add terminals to the Kubernetes deployment service
Add a ReactiveCaching concern for use in the KubernetesService
Add xterm.js 2.1.0 and a wrapper class to the asset pipeline
Remove unnecessary hidden svg elements for icons.
Fix consistent typo in environment.js
Use a block to insert extra check for authenticate_build!
Align milestone column header with count number
Add Wiki import to BB importer
Make CI badge hitboxes better match container
...
Stop 'git push' over HTTP early
Before this change we always let users push Git data over HTTP before
deciding whether to accept to push. This was different from pushing
over SSH where we terminate a 'git push' early if we already know the
user is not allowed to push.
This change let Git over HTTP follow the same behavior as Git over
SSH. We also distinguish between HTTP 404 and 403 responses when
denying Git requests, depending on whether the user is allowed to know
the project exists.
See merge request !5639
Before this change we always let users push Git data over HTTP before
deciding whether to accept to push. This was different from pushing
over SSH where we terminate a 'git push' early if we already know the
user is not allowed to push.
This change let Git over HTTP follow the same behavior as Git over
SSH. We also distinguish between HTTP 404 and 403 responses when
denying Git requests, depending on whether the user is allowed to know
the project exists.
It doesn't seem possible to set constraints based on format for project
IDs ending in .git, so set the constraint on the ID and ensure the
format is nil to avoid the case where the project ID is something like
project.git.foo.
Gabriel Mazetto
Rémy Coutable
Sean McGivern
Robin Bobbitt
Paul Charlton
Grzegorz Bizon
Michael Kozono
Robert Speicher
Douwe Maan
Sean McGivern
James Lopez
Timothy Andrew
Markus Koller
Semyon Pupkov
Douglas Barbosa Alexandre
Lin Jen-Shin
Douwe Maan
Dmitriy Zaporozhets
tiagonbotelho
Horatiu Eugen Vlad
Kamil Trzcinski
Jacob Vosmaer
Felipe Artur
Patricio Cano
Robert Speicher
Gabriel Mazetto
Z.J. van de Weg
Jacob Vosmaer