Fixed privilege escalation issue where manually set external users would be...

Fixed privilege escalation issue where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list.

Fixed privilege escalation issue where manually set external users would be...
10444f61 · Patricio Cano · ebe21acc · 10444f61 · 10444f61 · 10444f61
Commit 10444f61 authored 8 years ago by Patricio Cano
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -127,9 +127,15 @@ The chosen OmniAuth provider is now active and can be used to sign in to GitLab
 This setting was introduced with version 8.7 of GitLab
  
 You can define which OmniAuth providers you want to be `external` so that all users
-creating accounts via these providers will not be able to have access to internal
-projects. You will need to use the full name of the provider, like `google_oauth2`
-for Google. Refer to the examples for the full names of the supported providers.
+**creating accounts, or logging in via these providers** will not be able to have
+access to internal projects. You will need to use the full name of the provider,
+like `google_oauth2` for Google. Refer to the examples for the full names of the
+supported providers.
+
+>**Note:**
+If you decide to remove an OmniAuth provider from the external providers list
+you will need to manually update the users that use this method to login, if you
+want their accounts to be upgraded to full internal accounts.
  
 **For Omnibus installations**
  

--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -56,8 +56,6 @@ module Gitlab
  
        if external_provider? && @user
          @user.external = true
-        elsif @user
-          @user.external = false
        end
  
        @user

--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -51,12 +51,25 @@ describe Gitlab::OAuth::User, lib: true do
        end
  
        context 'provider was external, now has been removed' do
-          it 'should mark existing user internal' do
+          it 'should not mark external user as internal' do
            create(:omniauth_user, extern_uid: 'my-uid', provider: 'twitter', external: true)
            stub_omniauth_config(allow_single_sign_on: ['twitter'], external_providers: ['facebook'])
            oauth_user.save
            expect(gl_user).to be_valid
-            expect(gl_user.external).to be_falsey
+            expect(gl_user.external).to be_truthy
+          end
+        end
+
+        context 'provider is not external' do
+          context 'when adding a new OAuth identity' do
+            it 'should not promote an external user to internal' do
+              user = create(:user, email: 'john@mail.com', external: true)
+              user.identities.create(provider: provider, extern_uid: uid)
+
+              oauth_user.save
+              expect(gl_user).to be_valid
+              expect(gl_user.external).to be_truthy
+            end
          end
        end