Merge branch '22435-no-api-state-change-via-rails-session' into 'security'

API: disable rails session auth for non-GET/HEAD requests Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435 See merge request !1999
author: Douwe Maan <douwe@gitlab.com> 2016-09-28 14:44:11 +0000
committer: Douwe Maan <douwe@gitlab.com> 2016-09-28 14:44:11 +0000
commit: a4cddd81f1b4bd56ca99b49ce947a5e381322125 (patch)
tree: b23ff985661ca4f745c801d2f3e901422297b75e /lib/api
parent: 8e887c7efc8bd2a4fb4b1fb881c9d30b05023932 (diff)
parent: af5e54f9ce4f491ccf605c7c74c137785da743a4 (diff)
download: gitlab-ce-a4cddd81f1b4bd56ca99b49ce947a5e381322125.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 714d4ea3dc6..8b8c4eb4d46 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
     end
 
     # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
     def find_user_from_warden
-      warden ? warden.authenticate : nil
+      warden.try(:authenticate) if request.get? || request.head?
     end
 
     def find_user_by_private_token
author	Douwe Maan <douwe@gitlab.com>	2016-09-28 14:44:11 +0000
committer	Douwe Maan <douwe@gitlab.com>	2016-09-28 14:44:11 +0000
commit	a4cddd81f1b4bd56ca99b49ce947a5e381322125 (patch)
tree	b23ff985661ca4f745c801d2f3e901422297b75e /lib/api
parent	8e887c7efc8bd2a4fb4b1fb881c9d30b05023932 (diff)
parent	af5e54f9ce4f491ccf605c7c74c137785da743a4 (diff)
download	gitlab-ce-a4cddd81f1b4bd56ca99b49ce947a5e381322125.tar.gz