Support download access by PRIVATE-TOKEN header

Currently there is no way to download a raw file without embedding the token in the URL, which exposes the token in the URL. There should be an way of sending this information via the header as the API does. Closes https://github.com/gitlabhq/gitlabhq/issues/8137

Support download access by PRIVATE-TOKEN header
Currently there is no way to download a raw file without embedding the token in the URL, which exposes the token in the URL. There should be an way of sending this information via the header as the API does. Closes https://github.com/gitlabhq/gitlabhq/issues/8137
7aa739dd · Stan Hu · Rémy Coutable · bb51e9c6 · 7aa739dd · 7aa739dd
Commit 7aa739dd authored Jan 20, 2016 by Stan Hu Committed by Rémy Coutable Feb 03, 2016
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

CHANGELOG CHANGELOG +1 -0

app/controllers/application_controller.rb app/controllers/application_controller.rb +2 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ v 8.5.0 (unreleased)
  - Add "visibility" flag to GET /projects api endpoint
  - Ignore binary files in code search to prevent Error 500 (Stan Hu)
  - Render sanitized SVG images (Stan Hu)
+  - Support download access by PRIVATE-TOKEN header (Stan Hu)
  - Upgrade gitlab_git to 7.2.23 to fix commit message mentions in first branch push
  - New UI for pagination
  - Don't prevent sign out when 2FA enforcement is enabled and user hasn't yet

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -60,6 +60,8 @@ class ApplicationController < ActionController::Base
                   params[:authenticity_token].presence
                 elsif params[:private_token].presence
                   params[:private_token].presence
+                 elsif request.headers['PRIVATE-TOKEN'].present?
+                   request.headers['PRIVATE-TOKEN']
                 end
    user = user_token && User.find_by_authentication_token(user_token.to_s)