diff options
| author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:06:02 +0000 |
|---|---|---|
| committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:13:59 -0500 |
| commit | fe5f75930e781ef854b458fafa307ebb90a8ed2e (patch) | |
| tree | 7160814e28d056568685e8fe84456755ce02fecd /app/controllers/projects_controller.rb | |
| parent | e122e14ac6a25c7813ca888a97bd4a3298e78d9d (diff) | |
| download | gitlab-ce-fe5f75930e781ef854b458fafa307ebb90a8ed2e.tar.gz | |
Merge branch 'security-fix-pat-web-access' into 'master'
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
Diffstat (limited to 'app/controllers/projects_controller.rb')
| -rw-r--r-- | app/controllers/projects_controller.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 7f4a9f5151b..8bf93bfd68d 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -7,6 +7,8 @@ class ProjectsController < Projects::ApplicationController include PreviewMarkdown include SendFileUpload + prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) } + before_action :whitelist_query_limiting, only: [:create] before_action :authenticate_user!, except: [:index, :show, :activity, :refs] before_action :redirect_git_extension, only: [:show] |