diff options
| author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2019-06-04 16:21:05 +0100 |
|---|---|---|
| committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2019-06-05 19:07:20 +0100 |
| commit | 866f544c3e29c66ab47ddd9266898cb64d615967 (patch) | |
| tree | 1509ddd37633ed254ce5cba14ff2ebe5271d6862 | |
| parent | dbcbfc2638c289307c6e421fa6a5ca48603b1d53 (diff) | |
| download | gitlab-ce-866f544c3e29c66ab47ddd9266898cb64d615967.tar.gz | |
Avoid setting Gitlab::Session on sessionless requests
| -rw-r--r-- | app/controllers/application_controller.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml | 5 | ||||
| -rw-r--r-- | spec/controllers/application_controller_spec.rb | 34 |
3 files changed, 41 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6e98d66d712..7321f719deb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base end def set_session_storage(&block) + return yield if sessionless_user? + Gitlab::Session.with_session(session, &block) end diff --git a/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml new file mode 100644 index 00000000000..a795e33b00d --- /dev/null +++ b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml @@ -0,0 +1,5 @@ +--- +title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP +merge_request: 29146 +author: +type: fixed diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 5ecd1b6b7c8..40669ec5451 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -691,4 +691,38 @@ describe ApplicationController do end end end + + context 'Gitlab::Session' do + controller(described_class) do + prepend_before_action do + authenticate_sessionless_user!(:rss) + end + + def index + if Gitlab::Session.current + head :created + else + head :not_found + end + end + end + + it 'is set on web requests' do + sign_in(user) + + get :index + + expect(response).to have_gitlab_http_status(:created) + end + + context 'with sessionless user' do + it 'is not set' do + personal_access_token = create(:personal_access_token, user: user) + + get :index, format: :atom, params: { private_token: personal_access_token.token } + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end |