From dcf4a2e83c69d1be0915f9c4c4f023abee2e7dea Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@selenight.nl>
Date: Wed, 26 Jul 2017 11:25:10 +0200
Subject: Rescue only from ActionController::InvalidAuthenticityToken

---
 lib/api/helpers.rb                       | 4 ++--
 lib/gitlab/request_forgery_protection.rb | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 9a589828221..234825480f2 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -336,9 +336,9 @@ module API
       env['warden']
     end
 
-    # Check if CSRF tokens are valid.
+    # Check if the request is GET/HEAD, or if CSRF token is valid.
     def verified_request?
-      Gitlab::RequestForgeryProtection.call(env) rescue false
+      Gitlab::RequestForgeryProtection.verified?(env)
     end
 
     # Check the Rails session for valid authentication details
diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb
index b0e15e2b655..48dd0487790 100644
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -19,5 +19,13 @@ module Gitlab
     def self.call(env)
       app.call(env)
     end
+
+    def self.verified?(env)
+      call(env)
+
+      true
+    rescue ActionController::InvalidAuthenticityToken
+      false
+    end
   end
 end
-- 
cgit v1.2.1