LDAP provider clash with secondary emails
Summary
When the LDAP provider is used, there can be a clash when a user adds a secondary email which equals the value of the mail attribute of an another user. In this case, an internal error is presented to the user, which should not happen, because users should not see anything internal, but they should see proper error messages.
Imagine an already existing user has added an email XYZ as secondary email to his account. If a new user logins the first time via the LDAP provider, and the value of its mail attribute equals XYZ, he cannot log in, and an internal error message is displayed:
Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".
The application log states:
October 21, 2016 16:02: (LDAP) Error saving user: ["Email has already been taken"]
So first of all, a better error message should be displayed to the user (for example "Email has already been taken"). On the other side, this error should be felt strange by the user, which relies on a properly managed LDAP database. So with this bug report, I also make a feature request: It should be configurable to disallow users to add multiple emails to their accounts.
Steps to reproduce
LDAP provider is used. User X adds eMail A to his account as secondary eMail. User Y logs in (with mail attribute in LDAP whose value is equal to email A).
Expected behavior
A well-explaining message should be displayed.
Actual behavior
Internal error message is displayed to user: "Undefined method `provider' for nil:nilclass"
Relevant logs and/or screenshots
HTML presented to user:
``
Log File:
$tail -f /.../application.log October 21, 2016 16:02: (LDAP) Error saving user: ["Email has already been taken"]
Output of checks
Results of GitLab application Check
[root@g ~]# gitlab-rake gitlab:check SANITIZE=true Checking GitLab Shell ...
GitLab Shell version >= 3.6.1 ? ... OK (3.6.1) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... can't check, you have no projects Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK Send ping to redis server: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP users with access to your GitLab server (only showing the first 100 results) Server: ldapmain
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config outdated? ... no Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory setup correctly? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) projects have namespace: ... can't check, you have no projects Redis version >= 2.8.0? ... yes Ruby version >= 2.1.0 ? ... yes (2.3.1) Your git bin path is "/opt/gitlab/embedded/bin/git" Git version >= 2.7.3 ? ... yes (2.7.4) Active users: 2
Checking GitLab ... Finished
Results of GitLab environment info
[root@g ~]# gitlab-rake gitlab:env:info
System information System: Current User: git Using RVM: no Ruby Version: 2.3.1p112 Gem Version: 2.6.6 Bundler Version:1.13.5 Rake Version: 10.5.0 Sidekiq Version:4.1.4
GitLab information Version: 8.12.7 Revision: 7429b21d Directory: DB Adapter: postgresql URL: HTTP Clone URL: SSH Clone URL: Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 3.6.1 Repository storage paths:
- default: Hooks: Git: