Skip CSRF check on SAML failure endpoint

Review changes
Download
Patches
Plain diff

James Edwards-Jones requested to merge jej/avoid-csrf-check-on-saml-failure into master Jan 19, 2019

Overview 22
Commits 1
Pipelines 12
Changes 3

What does this MR do?

Whitelists :failure endpoint on OmniauthCallbacksController from CSRF checks as this is called when we wish to display an error message or count failed login attempts.

What are the relevant issue numbers?

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56574

Might also help with https://gitlab.com/gitlab-org/gitlab-ce/issues/48961 and https://gitlab.com/gitlab-org/gitlab-ce/issues/44913

Does this MR meet the acceptance criteria?

Changelog entry added, if necessary
Documentation created/updated via this MR
Documentation reviewed by technical writer or follow-up review issue created
Tests added for this feature/bug
Tested in all supported browsers
Conforms to the code review guidelines
Conforms to the merge request performance guidelines
Conforms to the style guides
Conforms to the database guides
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process.
Security reports checked/validated by reviewer

Edited Jan 21, 2019 by James Edwards-Jones

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking