diff options
| author | Rémy Coutable <remy@rymai.me> | 2016-10-06 08:33:11 +0200 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-10-06 08:33:11 +0200 |
| commit | d51bb99a7e7c4dce4abefbf4967aa69054066c3b (patch) | |
| tree | a6aba13ef5161890bbebd0b48bfc36ad3d8f8223 /lib/api | |
| parent | 7e493b11546f15f7871a249474edf6afd418af89 (diff) | |
| parent | 3f57ea0c0ba55f2612997acfb531f83a70b73323 (diff) | |
| download | gitlab-ce-d51bb99a7e7c4dce4abefbf4967aa69054066c3b.tar.gz | |
Merge commit 'dev/security' into 'master'
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/helpers.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 714d4ea3dc6..8b8c4eb4d46 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -21,8 +21,11 @@ module API end # Check the Rails session for valid authentication details + # + # Until CSRF protection is added to the API, disallow this method for + # state-changing endpoints def find_user_from_warden - warden ? warden.authenticate : nil + warden.try(:authenticate) if request.get? || request.head? end def find_user_by_private_token |