summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFelipe Artur <fcardozo@gitlab.com>2019-03-27 14:59:02 +0000
committerNick Thomas <nick@gitlab.com>2019-03-27 14:59:02 +0000
commit73b553a42a1dec7bd38e0aeeb5514c2a566a98c9 (patch)
treea763b5e4a28ba39c0bff6abd9804063f8d1f2cf9 /app
parentb78aa81f323d16b71af40e2f6fc201d7e7a9a855 (diff)
downloadgitlab-ce-73b553a42a1dec7bd38e0aeeb5514c2a566a98c9.tar.gz
Add API access check to Graphql
Check if user can access API on GraphqlController
Diffstat (limited to 'app')
-rw-r--r--app/controllers/graphql_controller.rb5
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index e147d32be2e..7b5dc22815c 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -12,6 +12,7 @@ class GraphqlController < ApplicationController
protect_from_forgery with: :null_session, only: :execute
before_action :check_graphql_feature_flag!
+ before_action :authorize_access_api!
before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
def execute
@@ -37,6 +38,10 @@ class GraphqlController < ApplicationController
private
+ def authorize_access_api!
+ access_denied!("API not accessible for user.") unless can?(current_user, :access_api)
+ end
+
# Overridden from the ApplicationController to make the response look like
# a GraphQL response. That is nicely picked up in Graphiql.
def render_404