Fixing unsafe use of Thread.current variable :current_user

author: Angus MacArthur <amacarthur@blackberry.com> 2013-10-04 15:11:50 -0400
committer: Angus MacArthur <amacarthur@blackberry.com> 2013-10-16 01:20:53 -0400
commit: aefe2e952f33267ce38fb9270400f4f6f194d37b (patch)
tree: 3546807c2b7942585a41cfb1163dc5e6a69e40e0 /lib/api/notes.rb
parent: a8eb525e72f6883a07539af9429ccd41dbc8698b (diff)
download: gitlab-ce-aefe2e952f33267ce38fb9270400f4f6f194d37b.tar.gz
1 files changed, 22 insertions, 18 deletions
diff --git a/lib/api/notes.rb b/lib/api/notes.rb
index cb2bc764476..f21907b1ffc 100644
--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -41,17 +41,19 @@ module API
       # Example Request:
       #   POST /projects/:id/notes
       post ":id/notes" do
-        required_attributes! [:body]
+        set_current_user_for_thread do
+          required_attributes! [:body]
 
-        @note = user_project.notes.new(note: params[:body])
-        @note.author = current_user
+          @note = user_project.notes.new(note: params[:body])
+          @note.author = current_user
 
-        if @note.save
-          present @note, with: Entities::Note
-        else
-          # :note is exposed as :body, but :note is set on error
-          bad_request!(:note) if @note.errors[:note].any?
-          not_found!
+          if @note.save
+            present @note, with: Entities::Note
+          else
+            # :note is exposed as :body, but :note is set on error
+            bad_request!(:note) if @note.errors[:note].any?
+            not_found!
+          end
         end
       end
 
@@ -97,17 +99,19 @@ module API
         #   POST /projects/:id/issues/:noteable_id/notes
         #   POST /projects/:id/snippets/:noteable_id/notes
         post ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
-          required_attributes! [:body]
+          set_current_user_for_thread do
+            required_attributes! [:body]
 
-          @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
-          @note = @noteable.notes.new(note: params[:body])
-          @note.author = current_user
-          @note.project = user_project
+            @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
+            @note = @noteable.notes.new(note: params[:body])
+            @note.author = current_user
+            @note.project = user_project
 
-          if @note.save
-            present @note, with: Entities::Note
-          else
-            not_found!
+            if @note.save
+              present @note, with: Entities::Note
+            else
+              not_found!
+            end
           end
         end
       end
author	Angus MacArthur <amacarthur@blackberry.com>	2013-10-04 15:11:50 -0400
committer	Angus MacArthur <amacarthur@blackberry.com>	2013-10-16 01:20:53 -0400
commit	aefe2e952f33267ce38fb9270400f4f6f194d37b (patch)
tree	3546807c2b7942585a41cfb1163dc5e6a69e40e0 /lib/api/notes.rb
parent	a8eb525e72f6883a07539af9429ccd41dbc8698b (diff)
download	gitlab-ce-aefe2e952f33267ce38fb9270400f4f6f194d37b.tar.gz