diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:02:13 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-30 22:02:13 +0000 |
| commit | 516fba52cf280b9d5bad08dce9f0150f859b6cea (patch) | |
| tree | 4dad71be856651af62c9a281b01087ae15480810 /lib/api | |
| parent | c90be62bdefdb6bb67c73a9c4a6d164c9f78a28d (diff) | |
| download | gitlab-ce-516fba52cf280b9d5bad08dce9f0150f859b6cea.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/api_guard.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 46b69214877..bf5044b4832 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -54,8 +54,10 @@ module API user = find_user_from_sources return unless user - # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode - Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if Feature.enabled?(:user_mode_in_session) + if user.is_a?(User) && Feature.enabled?(:user_mode_in_session) + # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode + Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) + end unless api_access_allowed?(user) forbidden!(api_access_denied_message(user)) |