Merge remote-tracking branch 'upstream/master' into pipeline-emails

* upstream/master: (292 commits)
  Deletes extra empty line breaking the build
  Optimize the `award_user_list` helper spec
  Fix typo and add he MWBS accronym for "Merge When Build Succeeds"
  Added missing content and improved layout
  ExpireBuildArtifactsWorker query builds table without ordering enqueuing one job per build to cleanup
  Improve the contribution and MR review guide
  Updates test in order to look for link
  Make projects API docs match parameter style
  Fix Event#reset_project_activity updates
  Update user whitelist reject message
  Call ensure_secret_token! in secret token test's before block since it would be called in an initializer.
  Add a CHANGELOG for CacheMarkdownField
  Enable CacheMarkdownField for the remaining models
  Make search results use the markdown cache columns, treating them consistently
  Use CacheMarkdownField for notes
  Add markdown cache columns to the database, but don't use them yet
  Update issue board spec
  Link to Registry docs from project settings
  Truncate long labels with ellipsis in labels page
  Improve issue load time performance by avoiding ORDER BY in find_by call
  ...

1 files changed, 5 insertions, 2 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 714d4ea3dc6..67473f300c9 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
     end
 
     # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
     def find_user_from_warden
-      warden ? warden.authenticate : nil
+      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
     end
 
     def find_user_by_private_token
@@ -430,7 +433,7 @@ module API
     end
 
     def secret_token
-      File.read(Gitlab.config.gitlab_shell.secret_file).chomp
+      Gitlab::Shell.secret_token
     end
 
     def send_git_blob(repository, blob)