Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
fd51f19c
Commit
fd51f19c
authored
Sep 22, 2016
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
API: disable rails session auth for non-GET/HEAD requests
parent
294482f3
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
37 additions
and
7 deletions
+37
-7
lib/api/helpers.rb
lib/api/helpers.rb
+4
-1
spec/requests/api/api_helpers_spec.rb
spec/requests/api/api_helpers_spec.rb
+33
-6
No files found.
lib/api/helpers.rb
View file @
fd51f19c
...
...
@@ -21,8 +21,11 @@ module API
end
# Check the Rails session for valid authentication details
#
# Until CSRF protection is added to the API, disallow this method for
# state-changing endpoints
def
find_user_from_warden
warden
?
warden
.
authenticate
:
nil
warden
.
try
(
:authenticate
)
if
request
.
get?
||
request
.
head?
end
def
find_user_by_private_token
...
...
spec/requests/api/api_helpers_spec.rb
View file @
fd51f19c
...
...
@@ -10,7 +10,8 @@ describe API::Helpers, api: true do
let
(
:key
)
{
create
(
:key
,
user:
user
)
}
let
(
:params
)
{
{}
}
let
(
:env
)
{
{}
}
let
(
:env
)
{
{
'REQUEST_METHOD'
=>
'GET'
}
}
let
(
:request
)
{
Rack
::
Request
.
new
(
env
)
}
def
set_env
(
token_usr
,
identifier
)
clear_env
...
...
@@ -52,18 +53,44 @@ describe API::Helpers, api: true do
describe
".current_user"
do
subject
{
current_user
}
describe
"
when authenticating via Warde
n"
do
describe
"
Warden authenticatio
n"
do
before
{
doorkeeper_guard_returns
false
}
context
"fails"
do
context
"with invalid credentials"
do
context
"GET request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'GET'
}
it
{
is_expected
.
to
be_nil
}
end
end
context
"
succeed
s"
do
context
"
with valid credential
s"
do
before
{
warden_authenticate_returns
user
}
context
"GET request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'GET'
}
it
{
is_expected
.
to
eq
(
user
)
}
end
context
"HEAD request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'HEAD'
}
it
{
is_expected
.
to
eq
(
user
)
}
end
context
"PUT request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'PUT'
}
it
{
is_expected
.
to
be_nil
}
end
context
"POST request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'POST'
}
it
{
is_expected
.
to
be_nil
}
end
context
"DELETE request"
do
before
{
env
[
'REQUEST_METHOD'
]
=
'DELETE'
}
it
{
is_expected
.
to
be_nil
}
end
end
end
describe
"when authenticating using a user's private token"
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment