diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 26802eb6833a3d7f8721f686f40c1c370269f9f3..3e212c950baa2ad38170142724dc1314d9a38a16 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -9,6 +9,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AcceptsPendingInvitations
include Onboarding::Redirectable
include InternalRedirect
+ include SafeFormatHelper
ACTIVE_SINCE_KEY = 'active_since'
@@ -249,15 +250,20 @@ def sign_in_user_flow(auth_user_class)
end
def handle_signup_error
+ redirect_path = new_user_session_path
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
- message = [_("Signing in using your %{label} account without a pre-existing GitLab account is not allowed.") % { label: label }]
+ simple_url = Settings.gitlab.url.sub(%r{^https?://(www\.)?}i, '')
+ message = [_("Signing in using your %{label} account without a pre-existing account in %{simple_url} is not allowed.") % { label: label, simple_url: simple_url }]
if Gitlab::CurrentSettings.allow_signup?
- message << (_("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label })
+ redirect_path = new_user_registration_path
+ doc_pair = tag_pair(view_context.link_to('', help_page_path('user/profile/index.md', anchor: 'sign-in-services')), :doc_start, :doc_end)
+ message << safe_format(_("Create an account in %{simple_url} first, and then %{doc_start}connect it to your %{label} account%{doc_end}."), doc_pair, label: label, simple_url: simple_url)
end
- flash[:alert] = message.join(' ')
- redirect_to new_user_session_path
+ flash[:alert] = message.join(' ').html_safe # rubocop:disable Rails/OutputSafety -- Generated message is safe
+
+ redirect_to redirect_path
end
def oauth
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 061329f214ea4c0471a14bffbae44a2a95af7058..fdf262e8f2c83bb91a09eff7d8e2c956aad21063 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -16113,9 +16113,6 @@ msgstr ""
msgid "Create New Directory"
msgstr ""
-msgid "Create a GitLab account first, and then connect it to your %{label} account."
-msgstr ""
-
msgid "Create a Kubernetes cluster"
msgstr ""
@@ -16170,6 +16167,9 @@ msgstr ""
msgid "Create a project"
msgstr ""
+msgid "Create an account in %{simple_url} first, and then %{doc_start}connect it to your %{label} account%{doc_end}."
+msgstr ""
+
msgid "Create an incident. Incidents are created for each alert triggered."
msgstr ""
@@ -51888,7 +51888,7 @@ msgstr ""
msgid "Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."
msgstr ""
-msgid "Signing in using your %{label} account without a pre-existing GitLab account is not allowed."
+msgid "Signing in using your %{label} account without a pre-existing account in %{simple_url} is not allowed."
msgstr ""
msgid "SilentMode|All outbound communications are blocked. %{link_start}Learn more%{link_end}."
diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb
index e0f5a112ea5d8b223e055f0c72068b8a6e8eff14..6bfd9376eb7ecf91905a42190bf472b7d8cc6808 100644
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -476,11 +476,17 @@
context 'for a new user' do
before do
+ @original_url = Settings.gitlab.url
+ Settings.gitlab.url = 'https://www.example.com:43/gitlab'
stub_omniauth_setting(enabled: true, auto_link_user: true, allow_single_sign_on: ['atlassian_oauth2'])
user.destroy!
end
+ after do
+ Settings.gitlab.url = @original_url
+ end
+
it 'denies sign-in if sign-up is enabled, but block_auto_created_users is set' do
post :atlassian_oauth2
@@ -500,7 +506,7 @@
post :atlassian_oauth2
- expect(flash[:alert]).to start_with 'Signing in using your Atlassian account without a pre-existing GitLab account is not allowed.'
+ expect(flash[:alert]).to eq('Signing in using your Atlassian account without a pre-existing account in example.com:43/gitlab is not allowed. Create an account in example.com:43/gitlab first, and then <a href="/help/user/profile/index.md#sign-in-services">connect it to your Atlassian account</a>.')
end
end
end
@@ -666,12 +672,34 @@ def stub_last_request_id(id)
expect(request.env['warden']).to be_authenticated
end
- it 'denies login if sign up is not enabled' do
- stub_omniauth_setting(allow_single_sign_on: false, block_auto_created_users: false)
+ describe 'when registering a new account is allowed' do
+ before do
+ allow(Gitlab::CurrentSettings).to receive(:allow_signup?).and_return(true)
+ end
+
+ it 'denies login if sign up is not enabled' do
+ stub_omniauth_setting(allow_single_sign_on: false, block_auto_created_users: false)
- post :saml, params: { SAMLResponse: mock_saml_response }
+ post :saml, params: { SAMLResponse: mock_saml_response }
- expect(flash[:alert]).to start_with 'Signing in using your saml account without a pre-existing GitLab account is not allowed.'
+ expect(flash[:alert]).to eq('Signing in using your saml account without a pre-existing account in localhost is not allowed. Create an account in localhost first, and then <a href="/help/user/profile/index.md#sign-in-services">connect it to your saml account</a>.')
+ expect(response).to redirect_to(new_user_registration_path)
+ end
+ end
+
+ describe 'when registering a new account is not allowed' do
+ before do
+ allow(Gitlab::CurrentSettings).to receive(:allow_signup?).and_return(false)
+ end
+
+ it 'denies login if sign up is not enabled' do
+ stub_omniauth_setting(allow_single_sign_on: false, block_auto_created_users: false)
+
+ post :saml, params: { SAMLResponse: mock_saml_response }
+
+ expect(flash[:alert]).to eq('Signing in using your saml account without a pre-existing account in localhost is not allowed.')
+ expect(response).to redirect_to(new_user_session_path)
+ end
end
it 'logs saml_response for debugging' do