• Drew Blessing's avatar
    Clear session access tokens when starting/stopping impersonation · 413f65cf
    Drew Blessing authored
    For project import purposes, GitLab may store third-party
    access tokens in the session cookie. When an admin impersonates
    another user, the session is not totally unique so we should
    clear out any access tokens both when starting and stopping
    impersonation. This prevents inadvertently using the wrong
    token in the wrong context.
    
    Changelog: security
    413f65cf
impersonation.rb 1.32 KB