From 7aa739ddc720dcba42a2f54934b10f369d4cf566 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Wed, 20 Jan 2016 12:00:28 -0800
Subject: Support download access by PRIVATE-TOKEN header

Currently there is no way to download a raw file without embedding
the token in the URL, which exposes the token in the URL. There
should be an way of sending this information via the header as the
API does.

Closes https://github.com/gitlabhq/gitlabhq/issues/8137
---
 app/controllers/application_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'app/controllers/application_controller.rb')

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 824175c8a6c..7fa2f68ef07 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -60,6 +60,8 @@ class ApplicationController < ActionController::Base
                    params[:authenticity_token].presence
                  elsif params[:private_token].presence
                    params[:private_token].presence
+                 elsif request.headers['PRIVATE-TOKEN'].present?
+                   request.headers['PRIVATE-TOKEN']
                  end
     user = user_token && User.find_by_authentication_token(user_token.to_s)
 
-- 
cgit v1.2.1