Merge pull request #5344 from amacarthur/thread-variable-fix

Fixing unsafe use of Thread.current variable :current_user
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-10-16 23:30:44 -0700
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-10-16 23:30:44 -0700
commit: 03dba1fd4299e7a0364aa94a845aaeca60b0c286 (patch)
tree: fe0716cdf7e410278d1b2edc8ac4f5eb81de6e31 /app
parent: dad831662ad6521dfaf404621b72e551d456ca5c (diff)
parent: aefe2e952f33267ce38fb9270400f4f6f194d37b (diff)
download: gitlab-ce-03dba1fd4299e7a0364aa94a845aaeca60b0c286.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 85b95862a17..cfa3cac5e88 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,7 +2,7 @@ class ApplicationController < ActionController::Base
   before_filter :authenticate_user!
   before_filter :reject_blocked!
   before_filter :check_password_expiration
-  before_filter :set_current_user_for_thread
+  around_filter :set_current_user_for_thread
   before_filter :add_abilities
   before_filter :dev_tools if Rails.env == 'development'
   before_filter :default_headers
@@ -50,6 +50,11 @@ class ApplicationController < ActionController::Base
 
   def set_current_user_for_thread
     Thread.current[:current_user] = current_user
+    begin
+      yield
+    ensure
+      Thread.current[:current_user] = nil
+    end
   end
 
   def abilities
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-10-16 23:30:44 -0700
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-10-16 23:30:44 -0700
commit	03dba1fd4299e7a0364aa94a845aaeca60b0c286 (patch)
tree	fe0716cdf7e410278d1b2edc8ac4f5eb81de6e31 /app
parent	dad831662ad6521dfaf404621b72e551d456ca5c (diff)
parent	aefe2e952f33267ce38fb9270400f4f6f194d37b (diff)
download	gitlab-ce-03dba1fd4299e7a0364aa94a845aaeca60b0c286.tar.gz