diff options
author | Stan Hu <stanhu@gmail.com> | 2016-01-20 12:00:28 -0800 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-02-03 15:42:24 +0100 |
commit | 7aa739ddc720dcba42a2f54934b10f369d4cf566 (patch) | |
tree | 03a2ab63badff13838d7a3240e0fb043061a2947 /app/controllers/application_controller.rb | |
parent | bb51e9c66ee91f70f11f210b03fe0a36885bb05d (diff) | |
download | gitlab-ce-7aa739ddc720dcba42a2f54934b10f369d4cf566.tar.gz |
Support download access by PRIVATE-TOKEN header
Currently there is no way to download a raw file without embedding
the token in the URL, which exposes the token in the URL. There
should be an way of sending this information via the header as the
API does.
Closes https://github.com/gitlabhq/gitlabhq/issues/8137
Diffstat (limited to 'app/controllers/application_controller.rb')
-rw-r--r-- | app/controllers/application_controller.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 824175c8a6c..7fa2f68ef07 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -60,6 +60,8 @@ class ApplicationController < ActionController::Base params[:authenticity_token].presence elsif params[:private_token].presence params[:private_token].presence + elsif request.headers['PRIVATE-TOKEN'].present? + request.headers['PRIVATE-TOKEN'] end user = user_token && User.find_by_authentication_token(user_token.to_s) |