diff options
Diffstat (limited to 'app/controllers/graphql_controller.rb')
-rw-r--r-- | app/controllers/graphql_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 3ef03bc9622..e147d32be2e 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -3,9 +3,16 @@ class GraphqlController < ApplicationController # Unauthenticated users have access to the API for public data skip_before_action :authenticate_user! - prepend_before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } + + # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing, + # the user won't be authenticated but can proceed as an anonymous user. + # + # If a CSRF is valid, the user is authenticated. This makes it easier to play + # around in GraphiQL. + protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute variables = Gitlab::Graphql::Variables.new(params[:variables]).to_h |