Commit fe035a3a authored by Josianne Hyson's avatar Josianne Hyson

Add comment with reason for skipping admin auth

Updating Doorkeeper to 5.0.2 introduced a change where all controllers
that inherit from `Doorkeeper::ApplicationsController` must define the
admin_authenticator in the config, otherwise all the endpoints will
always return a `403`.

As we have our own authenication logic for this controller defined in
`authenticate_user!`, this call is redundant. We've chosen to explicitly
skip it here, so that anyone who inherits from this controller in the
future will have to decide how to handle the authenication explicitly.
parent a550a54b
...@@ -8,6 +8,8 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController ...@@ -8,6 +8,8 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
include Gitlab::Experimentation::ControllerConcern include Gitlab::Experimentation::ControllerConcern
include InitializesCurrentUserMode include InitializesCurrentUserMode
# Defined by the `Doorkeeper::ApplicationsController` and is redundant as we call `authenticate_user!` below. Not
# defining or skipping this will result in a `403` response to all requests.
skip_before_action :authenticate_admin! skip_before_action :authenticate_admin!
prepend_before_action :verify_user_oauth_applications_enabled, except: :index prepend_before_action :verify_user_oauth_applications_enabled, except: :index
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment