Merge branch 'master' into sidebar-fly-out-sub-navsidebar-fly-out-sub-nav

author: Phil Hughes <me@iamphill.com> 2017-08-02 16:37:40 +0100
committer: Phil Hughes <me@iamphill.com> 2017-08-02 16:37:40 +0100
commit: e4c20cd3fe330faa415493ee2fe30dc16fbaca80 (patch)
tree: 0be61b6cc59cf35d81b9271c7603e0d8b203a31c /lib/api/helpers.rb
parent: 25d6a6c4b528159c288995de4909e6a8da431d0b (diff)
parent: 88958e5a9cd364ae36f3d2837982cedb9239c3bc (diff)
download: gitlab-ce-e4c20cd3fe330faa415493ee2fe30dc16fbaca80.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 0f4791841d2..234825480f2 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -25,6 +25,10 @@ module API
       initial_current_user != current_user
     end
 
+    def user_group
+      @group ||= find_group!(params[:id])
+    end
+
     def user_project
       @project ||= find_project!(params[:id])
     end
@@ -332,12 +336,14 @@ module API
       env['warden']
     end
 
+    # Check if the request is GET/HEAD, or if CSRF token is valid.
+    def verified_request?
+      Gitlab::RequestForgeryProtection.verified?(env)
+    end
+
     # Check the Rails session for valid authentication details
-    #
-    # Until CSRF protection is added to the API, disallow this method for
-    # state-changing endpoints
     def find_user_from_warden
-      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
+      warden.try(:authenticate) if verified_request?
     end
 
     def initial_current_user
author	Phil Hughes <me@iamphill.com>	2017-08-02 16:37:40 +0100
committer	Phil Hughes <me@iamphill.com>	2017-08-02 16:37:40 +0100
commit	e4c20cd3fe330faa415493ee2fe30dc16fbaca80 (patch)
tree	0be61b6cc59cf35d81b9271c7603e0d8b203a31c /lib/api/helpers.rb
parent	25d6a6c4b528159c288995de4909e6a8da431d0b (diff)
parent	88958e5a9cd364ae36f3d2837982cedb9239c3bc (diff)
download	gitlab-ce-e4c20cd3fe330faa415493ee2fe30dc16fbaca80.tar.gz