Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228)

master
Eugen Rochko 4 years ago committed by GitHub
parent 13206fcfb8
commit 13b07b88f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 1
      Gemfile
  2. 4
      Gemfile.lock
  3. 3
      app/views/auth/sessions/new.html.haml

@ -44,6 +44,7 @@ gem 'net-ldap', '~> 0.16'
gem 'omniauth-cas', '~> 2.0'
gem 'omniauth-saml', '~> 1.10'
gem 'omniauth', '~> 1.9'
gem 'omniauth-rails_csrf_protection', '~> 0.1'
gem 'color_diff', '~> 0.1'
gem 'discard', '~> 1.2'

@ -375,6 +375,9 @@ GEM
addressable (~> 2.3)
nokogiri (~> 1.5)
omniauth (~> 1.2)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-saml (1.10.3)
omniauth (~> 1.3, >= 1.3.2)
ruby-saml (~> 1.9)
@ -741,6 +744,7 @@ DEPENDENCIES
oj (~> 3.10)
omniauth (~> 1.9)
omniauth-cas (~> 2.0)
omniauth-rails_csrf_protection (~> 0.1)
omniauth-saml (~> 1.10)
ox (~> 2.13)
paperclip (~> 6.0)

@ -22,7 +22,6 @@
.actions
- resource_class.omniauth_providers.each do |provider|
= link_to omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}" do
= t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize)
= link_to t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize), omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}", method: :post
.form-footer= render 'auth/shared/links'

Loading…
Cancel
Save