Dont allow LDAP users to change password inside GitLab

app/controllers/profiles_controller.rb

@@ -2,6 +2,9 @@ class ProfilesController < ApplicationController
   include ActionView::Helpers::SanitizeHelper
   before_filter :user
+  before_filter :authorize_change_password!, only: :update_password
+  before_filter :authorize_change_username!, only: :update_username
+
   layout 'profile'
   def show
@@ -53,9 +56,7 @@ class ProfilesController < ApplicationController
   end
   def update_username
-    if @user.can_change_username?
-      @user.update_attributes(username: params[:user][:username])
-    end
+    @user.update_attributes(username: params[:user][:username])
     respond_to do |format|
       format.js
@@ -80,4 +81,12 @@ class ProfilesController < ApplicationController
     user_attributes
   end
+
+  def authorize_change_password!
+    return render_404 if @user.ldap_user?
+  end
+
+  def authorize_change_username!
+    return render_404 unless @user.can_change_username?
+  end
 end

app/models/user.rb

@@ -340,4 +340,8 @@ class User < ActiveRecord::Base
       nil
     end
   end
+
+  def ldap_user?
+    extern_uid && provider == 'ldap'
+  end
 end

app/views/profiles/account.html.haml

-- if Gitlab.config.omniauth.enabled
-  %fieldset
-    %legend Social Accounts
-    .oauth_select_holder
-      %p.hint Tip: Click on icon to activate sigin with one of the following services
-      - User.omniauth_providers.each do |provider|
-        %span{class: oauth_active_class(provider) }
-          = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
+- unless current_user.ldap_user?
+  - if Gitlab.config.omniauth.enabled
+    %fieldset
+      %legend Social Accounts
+      .oauth_select_holder
+        %p.hint Tip: Click on icon to activate sigin with one of the following services
+        - User.omniauth_providers.each do |provider|
+          %span{class: oauth_active_class(provider) }
+            = link_to authbutton(provider, 32), omniauth_authorize_path(User, provider)
+
+
+  %fieldset.update-password
+    %legend Password
+    = form_for @user, url: update_password_profile_path, method: :put do |f|
+      .padded
+        %p.slead After successful password update you will be redirected to login page where you should login with new password
+        -if @user.errors.any?
+          .alert.alert-error
+            %ul
+              - @user.errors.full_messages.each do |msg|
+                %li= msg
+
+        .clearfix
+          = f.label :password
+          .input= f.password_field :password, required: true
+        .clearfix
+          = f.label :password_confirmation
+          .input
+            = f.password_field :password_confirmation, required: true
+        .clearfix
+          .input
+            = f.submit 'Save password', class: "btn btn-save"
@@ -29,29 +53,6 @@
             %span You don`t have one yet. Click generate to fix it.
             = f.submit 'Generate', class: "btn success btn-build-token"
-%fieldset.update-password
-  %legend Password
-  = form_for @user, url: update_password_profile_path, method: :put do |f|
-    .padded
-      %p.slead After successful password update you will be redirected to login page where you should login with new password
-      -if @user.errors.any?
-        .alert.alert-error
-          %ul
-            - @user.errors.full_messages.each do |msg|
-              %li= msg
-
-      .clearfix
-        = f.label :password
-        .input= f.password_field :password, required: true
-      .clearfix
-        = f.label :password_confirmation
-        .input
-          = f.password_field :password_confirmation, required: true
-      .clearfix
-        .input
-          = f.submit 'Save password', class: "btn btn-save"
-
-
 - if current_user.can_change_username?
   %fieldset.update-username