Add latest changes from gitlab-org/gitlab@master

2 files changed, 7 insertions, 1 deletions

diff --git a/app/controllers/admin/dashboard_controller.rb b/app/controllers/admin/dashboard_controller.rb
index cd95105a893..b7b535e70df 100644
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -13,6 +13,7 @@ class Admin::DashboardController < Admin::ApplicationController
     @users = User.order_id_desc.limit(10)
     @groups = Group.order_id_desc.with_route.limit(10)
     @notices = Gitlab::ConfigChecker::PumaRuggedChecker.check
+    @notices += Gitlab::ConfigChecker::ExternalDatabaseChecker.check
   end
   # rubocop: enable CodeReuse/ActiveRecord
 
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 522d171b5bf..dc75d37fb01 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -3,7 +3,12 @@
 class GraphqlController < ApplicationController
   # Unauthenticated users have access to the API for public data
   skip_before_action :authenticate_user!
-  skip_around_action :set_session_storage
+
+  # If a user is using their session to access GraphQL, we need to have session
+  # storage, since the admin-mode check is session wide.
+  # We can't enable this for anonymous users because that would cause users using
+  # enforced SSO from using an auth token to access the API.
+  skip_around_action :set_session_storage, unless: :current_user
 
   # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
   # the user won't be authenticated but can proceed as an anonymous user.