Commit 715349d6 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security_dblessing_impersonation_breakout' into 'master'

Prevent double-impersonation and impersonation breakout

See merge request gitlab-org/security/gitlab!1797
parents 1d8a236a 780c8592
...@@ -45,7 +45,7 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -45,7 +45,7 @@ class Admin::UsersController < Admin::ApplicationController
end end
def impersonate def impersonate
if can?(user, :log_in) if can?(user, :log_in) && !impersonation_in_progress?
session[:impersonator_id] = current_user.id session[:impersonator_id] = current_user.id
warden.set_user(user, scope: :user) warden.set_user(user, scope: :user)
...@@ -58,7 +58,9 @@ class Admin::UsersController < Admin::ApplicationController ...@@ -58,7 +58,9 @@ class Admin::UsersController < Admin::ApplicationController
redirect_to root_path redirect_to root_path
else else
flash[:alert] = flash[:alert] =
if user.blocked? if impersonation_in_progress?
_("You are already impersonating another user")
elsif user.blocked?
_("You cannot impersonate a blocked user") _("You cannot impersonate a blocked user")
elsif user.internal? elsif user.internal?
_("You cannot impersonate an internal user") _("You cannot impersonate an internal user")
......
...@@ -20,7 +20,7 @@ module Impersonation ...@@ -20,7 +20,7 @@ module Impersonation
protected protected
def check_impersonation_availability def check_impersonation_availability
return unless session[:impersonator_id] return unless impersonation_in_progress?
unless Gitlab.config.gitlab.impersonation_enabled unless Gitlab.config.gitlab.impersonation_enabled
stop_impersonation stop_impersonation
...@@ -38,6 +38,10 @@ module Impersonation ...@@ -38,6 +38,10 @@ module Impersonation
current_user current_user
end end
def impersonation_in_progress?
session[:impersonator_id].present?
end
def log_impersonation_event def log_impersonation_event
Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}") Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
end end
......
...@@ -38545,6 +38545,9 @@ msgstr "" ...@@ -38545,6 +38545,9 @@ msgstr ""
msgid "You are already a member of this %{member_source}." msgid "You are already a member of this %{member_source}."
msgstr "" msgstr ""
msgid "You are already impersonating another user"
msgstr ""
msgid "You are an admin, which means granting access to %{client_name} will allow them to interact with GitLab as an admin as well. Proceed with caution." msgid "You are an admin, which means granting access to %{client_name} will allow them to interact with GitLab as an admin as well. Proceed with caution."
msgstr "" msgstr ""
......
...@@ -815,5 +815,20 @@ RSpec.describe Admin::UsersController do ...@@ -815,5 +815,20 @@ RSpec.describe Admin::UsersController do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
end end
context 'when impersonating an admin and attempting to impersonate again' do
let(:admin2) { create(:admin) }
before do
post :impersonate, params: { id: admin2.username }
end
it 'does not allow double impersonation', :aggregate_failures do
post :impersonate, params: { id: user.username }
expect(flash[:alert]).to eq(_('You are already impersonating another user'))
expect(warden.user).to eq(admin2)
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment