Merge pull request #5344 from amacarthur/thread-variable-fix

Fixing unsafe use of Thread.current variable :current_user
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-10-16 23:30:44 -0700
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-10-16 23:30:44 -0700
commit: 03dba1fd4299e7a0364aa94a845aaeca60b0c286 (patch)
tree: fe0716cdf7e410278d1b2edc8ac4f5eb81de6e31 /lib/api/notes.rb
parent: dad831662ad6521dfaf404621b72e551d456ca5c (diff)
parent: aefe2e952f33267ce38fb9270400f4f6f194d37b (diff)
download: gitlab-ce-03dba1fd4299e7a0364aa94a845aaeca60b0c286.tar.gz
1 files changed, 22 insertions, 18 deletions
diff --git a/lib/api/notes.rb b/lib/api/notes.rb
index cb2bc764476..f21907b1ffc 100644
--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -41,17 +41,19 @@ module API
       # Example Request:
       #   POST /projects/:id/notes
       post ":id/notes" do
-        required_attributes! [:body]
+        set_current_user_for_thread do
+          required_attributes! [:body]
 
-        @note = user_project.notes.new(note: params[:body])
-        @note.author = current_user
+          @note = user_project.notes.new(note: params[:body])
+          @note.author = current_user
 
-        if @note.save
-          present @note, with: Entities::Note
-        else
-          # :note is exposed as :body, but :note is set on error
-          bad_request!(:note) if @note.errors[:note].any?
-          not_found!
+          if @note.save
+            present @note, with: Entities::Note
+          else
+            # :note is exposed as :body, but :note is set on error
+            bad_request!(:note) if @note.errors[:note].any?
+            not_found!
+          end
         end
       end
 
@@ -97,17 +99,19 @@ module API
         #   POST /projects/:id/issues/:noteable_id/notes
         #   POST /projects/:id/snippets/:noteable_id/notes
         post ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
-          required_attributes! [:body]
+          set_current_user_for_thread do
+            required_attributes! [:body]
 
-          @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
-          @note = @noteable.notes.new(note: params[:body])
-          @note.author = current_user
-          @note.project = user_project
+            @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
+            @note = @noteable.notes.new(note: params[:body])
+            @note.author = current_user
+            @note.project = user_project
 
-          if @note.save
-            present @note, with: Entities::Note
-          else
-            not_found!
+            if @note.save
+              present @note, with: Entities::Note
+            else
+              not_found!
+            end
           end
         end
       end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-10-16 23:30:44 -0700
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-10-16 23:30:44 -0700
commit	03dba1fd4299e7a0364aa94a845aaeca60b0c286 (patch)
tree	fe0716cdf7e410278d1b2edc8ac4f5eb81de6e31 /lib/api/notes.rb
parent	dad831662ad6521dfaf404621b72e551d456ca5c (diff)
parent	aefe2e952f33267ce38fb9270400f4f6f194d37b (diff)
download	gitlab-ce-03dba1fd4299e7a0364aa94a845aaeca60b0c286.tar.gz