diff options
| -rw-r--r-- | lib/api/helpers.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/request_forgery_protection.rb | 8 |
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 9a589828221..234825480f2 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -336,9 +336,9 @@ module API env['warden'] end - # Check if CSRF tokens are valid. + # Check if the request is GET/HEAD, or if CSRF token is valid. def verified_request? - Gitlab::RequestForgeryProtection.call(env) rescue false + Gitlab::RequestForgeryProtection.verified?(env) end # Check the Rails session for valid authentication details diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb index b0e15e2b655..48dd0487790 100644 --- a/lib/gitlab/request_forgery_protection.rb +++ b/lib/gitlab/request_forgery_protection.rb @@ -19,5 +19,13 @@ module Gitlab def self.call(env) app.call(env) end + + def self.verified?(env) + call(env) + + true + rescue ActionController::InvalidAuthenticityToken + false + end end end |