Commit ffcf50c8 authored by Peter Leitzen's avatar Peter Leitzen Committed by Tim Zallmann

Don't set gon variables in JSON requests

parent 7a3d74af
...@@ -20,13 +20,13 @@ class ApplicationController < ActionController::Base ...@@ -20,13 +20,13 @@ class ApplicationController < ActionController::Base
before_action :ldap_security_check before_action :ldap_security_check
before_action :sentry_context before_action :sentry_context
before_action :default_headers before_action :default_headers
before_action :add_gon_variables, unless: :peek_request? before_action :add_gon_variables, unless: [:peek_request?, :json_request?]
before_action :configure_permitted_parameters, if: :devise_controller? before_action :configure_permitted_parameters, if: :devise_controller?
before_action :require_email, unless: :devise_controller? before_action :require_email, unless: :devise_controller?
around_action :set_locale around_action :set_locale
after_action :set_page_title_header, if: -> { request.format == :json } after_action :set_page_title_header, if: :json_request?
protect_from_forgery with: :exception, prepend: true protect_from_forgery with: :exception, prepend: true
...@@ -424,6 +424,10 @@ class ApplicationController < ActionController::Base ...@@ -424,6 +424,10 @@ class ApplicationController < ActionController::Base
request.path.start_with?('/-/peek') request.path.start_with?('/-/peek')
end end
def json_request?
request.format.json?
end
def should_enforce_terms? def should_enforce_terms?
return false unless Gitlab::CurrentSettings.current_application_settings.enforce_terms return false unless Gitlab::CurrentSettings.current_application_settings.enforce_terms
......
---
title: Don't set gon variables in JSON requests
merge_request: 21016
author: Peter Leitzen
type: performance
...@@ -56,6 +56,57 @@ describe ApplicationController do ...@@ -56,6 +56,57 @@ describe ApplicationController do
end end
end end
describe '#add_gon_variables' do
before do
Gon.clear
sign_in user
end
let(:json_response) { JSON.parse(response.body) }
controller(described_class) do
def index
render json: Gon.all_variables
end
end
shared_examples 'setting gon variables' do
it 'sets gon variables' do
get :index, format: format
expect(json_response.size).not_to be_zero
end
end
shared_examples 'not setting gon variables' do
it 'does not set gon variables' do
get :index, format: format
expect(json_response.size).to be_zero
end
end
context 'with html format' do
let(:format) { :html }
it_behaves_like 'setting gon variables'
context 'for peek requests' do
before do
request.path = '/-/peek'
end
it_behaves_like 'not setting gon variables'
end
end
context 'with json format' do
let(:format) { :json }
it_behaves_like 'not setting gon variables'
end
end
describe "#authenticate_user_from_personal_access_token!" do describe "#authenticate_user_from_personal_access_token!" do
before do before do
stub_authentication_activity_metrics(debug: false) stub_authentication_activity_metrics(debug: false)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment