From 530b25ab14999d0407e39e1bf0a0e5595da2a028 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Mon, 30 Oct 2017 16:56:32 -0400 Subject: [PATCH] 11453: Do not generate local tokens for remote users. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- services/api/app/controllers/user_sessions_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 5a90f4f8ea..5de85bc98b 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -24,7 +24,11 @@ class UserSessionsController < ApplicationController return redirect_to login_failure_url end - user = User.find_by_identity_url(omniauth['info']['identity_url']) + # Only local users can create sessions, hence uuid_like_pattern + # here. + user = User.where('identity_url = ? and uuid like ?', + omniauth['info']['identity_url'], + User.uuid_like_pattern).first if not user # Check for permission to log in to an existing User record with # a different identity_url -- 2.30.2