diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 08:57:43 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-27 08:57:43 +0000 |
commit | bc299f54e841488b4ab37777761db1dfc7f3b60e (patch) | |
tree | bf58693acb03633a63138874072e3d3af3ee9f76 /app/controllers | |
parent | 2fad41087674984a064cf6a312ac34c16bb2a1aa (diff) | |
download | gitlab-ce-bc299f54e841488b4ab37777761db1dfc7f3b60e.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/concerns/sessionless_authentication.rb | 6 | ||||
-rw-r--r-- | app/controllers/graphql_controller.rb | 8 |
2 files changed, 12 insertions, 2 deletions
diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb index 882fef7a342..3c8a683439a 100644 --- a/app/controllers/concerns/sessionless_authentication.rb +++ b/app/controllers/concerns/sessionless_authentication.rb @@ -7,11 +7,15 @@ module SessionlessAuthentication # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens def authenticate_sessionless_user!(request_format) - user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format) + user = request_authenticator.find_sessionless_user(request_format) sessionless_sign_in(user) if user end + def request_authenticator + @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(request) + end + def sessionless_user? current_user && !session.key?('warden.user.user.key') end diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index a13ec1daddb..38bfb5ef2f8 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -110,7 +110,13 @@ class GraphqlController < ApplicationController end def context - @context ||= { current_user: current_user, is_sessionless_user: !!sessionless_user?, request: request } + api_user = !!sessionless_user? + @context ||= { + current_user: current_user, + is_sessionless_user: api_user, + request: request, + scope_validator: ::Gitlab::Auth::ScopeValidator.new(api_user, request_authenticator) + } end def build_variables(variable_info) |