diff options
| author | Mike Lewis <mlewis@gitlab.com> | 2019-03-07 15:59:00 +0000 |
|---|---|---|
| committer | Mike Lewis <mlewis@gitlab.com> | 2019-03-07 15:59:00 +0000 |
| commit | dbd7309a16bd3abc6c586b6c2df2beb317cfef95 (patch) | |
| tree | 3fdd719c926ac80285f0dc93ef975625657d0fbb /app/controllers/graphql_controller.rb | |
| parent | 7be248334b350091e83d0335bf0c263071c6a67f (diff) | |
| parent | b63efb09a5c864047924cd2d84527b47dd563d5f (diff) | |
| download | gitlab-ce-reply-to-comment-documentation.tar.gz | |
Merge branch 'master' into 'reply-to-comment-documentation'reply-to-comment-documentation
# Conflicts:
# doc/user/discussions/index.md
Diffstat (limited to 'app/controllers/graphql_controller.rb')
| -rw-r--r-- | app/controllers/graphql_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 3ef03bc9622..e147d32be2e 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -3,9 +3,16 @@ class GraphqlController < ApplicationController # Unauthenticated users have access to the API for public data skip_before_action :authenticate_user! - prepend_before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } + + # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing, + # the user won't be authenticated but can proceed as an anonymous user. + # + # If a CSRF is valid, the user is authenticated. This makes it easier to play + # around in GraphiQL. + protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute variables = Gitlab::Graphql::Variables.new(params[:variables]).to_h |