diff options
| author | Sean McGivern <sean@mcgivern.me.uk> | 2017-07-27 10:20:52 +0000 |
|---|---|---|
| committer | Sean McGivern <sean@mcgivern.me.uk> | 2017-07-27 10:20:52 +0000 |
| commit | ef50875d3aa27a8e7bcc3296f911da4710be0585 (patch) | |
| tree | 6b3522c20239dc319719203372464a0aa88fd9cb /lib/api | |
| parent | 2850efcdd51909a5a92f844e7b8940ed0190d234 (diff) | |
| parent | bfe8b96874c66c54e2e4c1a66a520087b217e9e7 (diff) | |
| download | gitlab-ce-ef50875d3aa27a8e7bcc3296f911da4710be0585.tar.gz | |
Merge branch '33601-add-csrf-token-verification-to-api' into 'master'
Resolve "Add CSRF token verification to API"
Closes #33601
See merge request !12154
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/helpers.rb | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 57e3e93500f..234825480f2 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -336,12 +336,14 @@ module API env['warden'] end + # Check if the request is GET/HEAD, or if CSRF token is valid. + def verified_request? + Gitlab::RequestForgeryProtection.verified?(env) + end + # Check the Rails session for valid authentication details - # - # Until CSRF protection is added to the API, disallow this method for - # state-changing endpoints def find_user_from_warden - warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD']) + warden.try(:authenticate) if verified_request? end def initial_current_user |