Commit 055c160b authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'ce-jej/fix-git-http-with-sso-enforcement' into 'master'

Avoid setting Gitlab::Session on sessionless requests and Git HTTP

See merge request gitlab-org/gitlab-ce!29146
parents 549d64c6 c7d9d462
...@@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base ...@@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base
end end
def set_session_storage(&block) def set_session_storage(&block)
return yield if sessionless_user?
Gitlab::Session.with_session(session, &block) Gitlab::Session.with_session(session, &block)
end end
......
...@@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
alias_method :authenticated_user, :actor alias_method :authenticated_user, :actor
# Git clients will not know what authenticity token to send along # Git clients will not know what authenticity token to send along
skip_around_action :set_session_storage
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
skip_before_action :repository skip_before_action :repository
before_action :authenticate_user before_action :authenticate_user
......
---
title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP
merge_request: 29146
author:
type: fixed
...@@ -691,4 +691,38 @@ describe ApplicationController do ...@@ -691,4 +691,38 @@ describe ApplicationController do
end end
end end
end end
context 'Gitlab::Session' do
controller(described_class) do
prepend_before_action do
authenticate_sessionless_user!(:rss)
end
def index
if Gitlab::Session.current
head :created
else
head :not_found
end
end
end
it 'is set on web requests' do
sign_in(user)
get :index
expect(response).to have_gitlab_http_status(:created)
end
context 'with sessionless user' do
it 'is not set' do
personal_access_token = create(:personal_access_token, user: user)
get :index, format: :atom, params: { private_token: personal_access_token.token }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment