diff options
author | Felipe Artur <fcardozo@gitlab.com> | 2019-03-27 14:59:02 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-03-27 14:59:02 +0000 |
commit | 73b553a42a1dec7bd38e0aeeb5514c2a566a98c9 (patch) | |
tree | a763b5e4a28ba39c0bff6abd9804063f8d1f2cf9 /app | |
parent | b78aa81f323d16b71af40e2f6fc201d7e7a9a855 (diff) | |
download | gitlab-ce-73b553a42a1dec7bd38e0aeeb5514c2a566a98c9.tar.gz |
Add API access check to Graphql
Check if user can access API on GraphqlController
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/graphql_controller.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index e147d32be2e..7b5dc22815c 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -12,6 +12,7 @@ class GraphqlController < ApplicationController protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action :authorize_access_api! before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute @@ -37,6 +38,10 @@ class GraphqlController < ApplicationController private + def authorize_access_api! + access_denied!("API not accessible for user.") unless can?(current_user, :access_api) + end + # Overridden from the ApplicationController to make the response look like # a GraphQL response. That is nicely picked up in Graphiql. def render_404 |