summaryrefslogtreecommitdiff
path: root/lib/api
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2016-10-06 08:33:11 +0200
committerRémy Coutable <remy@rymai.me>2016-10-06 08:33:11 +0200
commitd51bb99a7e7c4dce4abefbf4967aa69054066c3b (patch)
treea6aba13ef5161890bbebd0b48bfc36ad3d8f8223 /lib/api
parent7e493b11546f15f7871a249474edf6afd418af89 (diff)
parent3f57ea0c0ba55f2612997acfb531f83a70b73323 (diff)
downloadgitlab-ce-d51bb99a7e7c4dce4abefbf4967aa69054066c3b.tar.gz
Merge commit 'dev/security' into 'master'
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'lib/api')
-rw-r--r--lib/api/helpers.rb5
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 714d4ea3dc6..8b8c4eb4d46 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
end
# Check the Rails session for valid authentication details
+ #
+ # Until CSRF protection is added to the API, disallow this method for
+ # state-changing endpoints
def find_user_from_warden
- warden ? warden.authenticate : nil
+ warden.try(:authenticate) if request.get? || request.head?
end
def find_user_by_private_token