Allow token authentication on go-get request

author: Douwe Maan <douwe@gitlab.com> 2018-02-23 10:33:46 +0000
committer: Nick Thomas <nick@gitlab.com> 2018-02-23 10:33:46 +0000
commit: 7a6c7bd66bae678640c98ad426cd0153f638b163 (patch)
tree: 51dd1b18673e8f695ef2252b86c90b02148c269e /lib/gitlab/middleware
parent: 981b5905a02ac89ca9f33ad7c91d8c1a576ed9af (diff)
download: gitlab-ce-7a6c7bd66bae678640c98ad426cd0153f638b163.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 1a570f480c6..1fd8f147b44 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -114,7 +114,15 @@ module Gitlab
       end
 
       def current_user(request)
-        request.env['warden']&.authenticate
+        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
+
+        return unless user&.can?(:access_api)
+
+        # Right now, the `api` scope is the only one that should be able to determine private project existence.
+        return unless authenticator.valid_access_token?(scopes: [:api])
+
+        user
       end
     end
   end
author	Douwe Maan <douwe@gitlab.com>	2018-02-23 10:33:46 +0000
committer	Nick Thomas <nick@gitlab.com>	2018-02-23 10:33:46 +0000
commit	7a6c7bd66bae678640c98ad426cd0153f638b163 (patch)
tree	51dd1b18673e8f695ef2252b86c90b02148c269e /lib/gitlab/middleware
parent	981b5905a02ac89ca9f33ad7c91d8c1a576ed9af (diff)
download	gitlab-ce-7a6c7bd66bae678640c98ad426cd0153f638b163.tar.gz