API: disable rails session auth for non-GET/HEAD requests

author: Nick Thomas <nick@gitlab.com> 2016-09-22 13:56:43 +0100
committer: Nick Thomas <nick@gitlab.com> 2016-09-23 12:21:47 +0100
commit: fd51f19c978023160ad759676a0363c12aea3fc8 (patch)
tree: 06ca61ae539d3432aadda0a45f95295bd8ad9186 /lib/api
parent: 294482f38388542b43b908dcb427759544a7486f (diff)
download: gitlab-ce-fd51f19c978023160ad759676a0363c12aea3fc8.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 714d4ea3dc6..8b8c4eb4d46 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
     end
 
     # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
     def find_user_from_warden
-      warden ? warden.authenticate : nil
+      warden.try(:authenticate) if request.get? || request.head?
     end
 
     def find_user_by_private_token
author	Nick Thomas <nick@gitlab.com>	2016-09-22 13:56:43 +0100
committer	Nick Thomas <nick@gitlab.com>	2016-09-23 12:21:47 +0100
commit	fd51f19c978023160ad759676a0363c12aea3fc8 (patch)
tree	06ca61ae539d3432aadda0a45f95295bd8ad9186 /lib/api
parent	294482f38388542b43b908dcb427759544a7486f (diff)
download	gitlab-ce-fd51f19c978023160ad759676a0363c12aea3fc8.tar.gz