Commit ba9a9b98 authored by Robert Speicher's avatar Robert Speicher Committed by Thiago Presa

Merge branch 'fix_pat_auth-11-4' into 'security-11-4'

[11.4] Fix Token lookup for Git over HTTP and registry authentication

See merge request gitlab/gitlabhq!2577
parent 872549f7
......@@ -3,7 +3,7 @@
class PersonalAccessTokensFinder
attr_accessor :params
delegate :build, :find, :find_by, to: :execute
delegate :build, :find, :find_by, :find_by_token, to: :execute
def initialize(params = {})
@params = params
......
......@@ -459,7 +459,7 @@ class User < ActiveRecord::Base
def find_by_personal_access_token(token_string)
return unless token_string
PersonalAccessTokensFinder.new(state: 'active').find_by(token: token_string)&.user # rubocop: disable CodeReuse/Finder
PersonalAccessTokensFinder.new(state: 'active').find_by_token(token_string)&.user # rubocop: disable CodeReuse/Finder
end
# Returns a user for the given SSH key.
......
......@@ -149,17 +149,15 @@ module Gitlab
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def personal_access_token_check(password)
return unless password.present?
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
token = PersonalAccessTokensFinder.new(state: 'active').find_by_token(password)
if token && valid_scoped_token?(token, available_scopes)
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end
end
# rubocop: enable CodeReuse/ActiveRecord
def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, [:api])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment