diff options
author | Sean McGivern <sean@mcgivern.me.uk> | 2017-03-23 12:25:56 +0000 |
---|---|---|
committer | Sean McGivern <sean@mcgivern.me.uk> | 2017-03-23 12:25:56 +0000 |
commit | ef91f83dd151eb59c25910134e48812051fbe23a (patch) | |
tree | f870192bd29fe793cb5b9e1d1ef0208932f4dee6 /app | |
parent | bf305f2067da9b2a3caed5dd2c07548b85490221 (diff) | |
parent | 8b6041bce31750aeffbaca70950c36188b6639d1 (diff) | |
download | gitlab-ce-ef91f83dd151eb59c25910134e48812051fbe23a.tar.gz |
Merge branch 'dont-find-by-token-when-no-token-is-present' into 'master'
Don't try to find a user by personal_access_token if the token is nil
See merge request !10146
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 7 | ||||
-rw-r--r-- | app/models/user.rb | 2 |
2 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b7ce081a5cd..6a6e335d314 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -64,8 +64,11 @@ class ApplicationController < ActionController::Base # This filter handles both private tokens and personal access tokens def authenticate_user_from_private_token! - token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence - user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string) + token = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence + + return unless token.present? + + user = User.find_by_authentication_token(token) || User.find_by_personal_access_token(token) if user && can?(user, :log_in) # Notice we are passing store false, so the user is not diff --git a/app/models/user.rb b/app/models/user.rb index 8c7ad5d5174..5d19d873f43 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -324,6 +324,8 @@ class User < ActiveRecord::Base end def find_by_personal_access_token(token_string) + return unless token_string + PersonalAccessTokensFinder.new(state: 'active').find_by(token: token_string)&.user end |