Rescue only from ActionController::InvalidAuthenticityToken

dcf4a2e8 · Douwe Maan · 5a1f3df3 · dcf4a2e8 · dcf4a2e8
Commit dcf4a2e8 authored Jul 26, 2017 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

lib/api/helpers.rb lib/api/helpers.rb +2 -2

lib/gitlab/request_forgery_protection.rb lib/gitlab/request_forgery_protection.rb +8 -0

No files found.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -336,9 +336,9 @@ module API
      env['warden']
    end

-    # Check if CSRF tokens are valid.
+    # Check if the request is GET/HEAD, or if CSRF token is valid.
    def verified_request?
-      Gitlab::RequestForgeryProtection.call(env) rescue false
+      Gitlab::RequestForgeryProtection.verified?(env)
    end

    # Check the Rails session for valid authentication details

--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -19,5 +19,13 @@ module Gitlab
    def self.call(env)
      app.call(env)
    end
+
+    def self.verified?(env)
+      call(env)
+
+      true
+    rescue ActionController::InvalidAuthenticityToken
+      false
+    end
  end
 end