diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2019-06-06 06:14:15 +0000 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2019-06-06 06:14:15 +0000 |
commit | 055c160be1cbde3e05aa000e1ff0109725a7bfa8 (patch) | |
tree | 9c115a609e04397ade10c2b546b83877ee3376a1 | |
parent | 549d64c6fcda33db7531361e661935b2ffdfb43c (diff) | |
parent | c7d9d462ec5b6012cd795d3e3034dbcca531de42 (diff) | |
download | gitlab-ce-055c160be1cbde3e05aa000e1ff0109725a7bfa8.tar.gz |
Merge branch 'ce-jej/fix-git-http-with-sso-enforcement' into 'master'
Avoid setting Gitlab::Session on sessionless requests and Git HTTP
See merge request gitlab-org/gitlab-ce!29146
4 files changed, 42 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6e98d66d712..7321f719deb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base end def set_session_storage(&block) + return yield if sessionless_user? + Gitlab::Session.with_session(session, &block) end diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb index 7a80da53025..956093b972b 100644 --- a/app/controllers/projects/git_http_client_controller.rb +++ b/app/controllers/projects/git_http_client_controller.rb @@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController alias_method :authenticated_user, :actor # Git clients will not know what authenticity token to send along + skip_around_action :set_session_storage skip_before_action :verify_authenticity_token skip_before_action :repository before_action :authenticate_user diff --git a/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml new file mode 100644 index 00000000000..a795e33b00d --- /dev/null +++ b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml @@ -0,0 +1,5 @@ +--- +title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP +merge_request: 29146 +author: +type: fixed diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 5ecd1b6b7c8..40669ec5451 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -691,4 +691,38 @@ describe ApplicationController do end end end + + context 'Gitlab::Session' do + controller(described_class) do + prepend_before_action do + authenticate_sessionless_user!(:rss) + end + + def index + if Gitlab::Session.current + head :created + else + head :not_found + end + end + end + + it 'is set on web requests' do + sign_in(user) + + get :index + + expect(response).to have_gitlab_http_status(:created) + end + + context 'with sessionless user' do + it 'is not set' do + personal_access_token = create(:personal_access_token, user: user) + + get :index, format: :atom, params: { private_token: personal_access_token.token } + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end |