diff options
author | Douwe Maan <douwe@selenight.nl> | 2017-07-26 11:25:10 +0200 |
---|---|---|
committer | Douwe Maan <douwe@selenight.nl> | 2017-07-26 11:25:10 +0200 |
commit | dcf4a2e83c69d1be0915f9c4c4f023abee2e7dea (patch) | |
tree | 540001cadb67cebea9afacbc9c61f3dd8911e835 | |
parent | 5a1f3df3b82361b613dbf718c4f7af26332297a1 (diff) | |
download | gitlab-ce-dcf4a2e83c69d1be0915f9c4c4f023abee2e7dea.tar.gz |
Rescue only from ActionController::InvalidAuthenticityToken
-rw-r--r-- | lib/api/helpers.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/request_forgery_protection.rb | 8 |
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 9a589828221..234825480f2 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -336,9 +336,9 @@ module API env['warden'] end - # Check if CSRF tokens are valid. + # Check if the request is GET/HEAD, or if CSRF token is valid. def verified_request? - Gitlab::RequestForgeryProtection.call(env) rescue false + Gitlab::RequestForgeryProtection.verified?(env) end # Check the Rails session for valid authentication details diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb index b0e15e2b655..48dd0487790 100644 --- a/lib/gitlab/request_forgery_protection.rb +++ b/lib/gitlab/request_forgery_protection.rb @@ -19,5 +19,13 @@ module Gitlab def self.call(env) app.call(env) end + + def self.verified?(env) + call(env) + + true + rescue ActionController::InvalidAuthenticityToken + false + end end end |