Commit 866f544c authored by James Edwards-Jones's avatar James Edwards-Jones

Avoid setting Gitlab::Session on sessionless requests

parent dbcbfc26
...@@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base ...@@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base
end end
def set_session_storage(&block) def set_session_storage(&block)
return yield if sessionless_user?
Gitlab::Session.with_session(session, &block) Gitlab::Session.with_session(session, &block)
end end
......
---
title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP
merge_request: 29146
author:
type: fixed
...@@ -691,4 +691,38 @@ describe ApplicationController do ...@@ -691,4 +691,38 @@ describe ApplicationController do
end end
end end
end end
context 'Gitlab::Session' do
controller(described_class) do
prepend_before_action do
authenticate_sessionless_user!(:rss)
end
def index
if Gitlab::Session.current
head :created
else
head :not_found
end
end
end
it 'is set on web requests' do
sign_in(user)
get :index
expect(response).to have_gitlab_http_status(:created)
end
context 'with sessionless user' do
it 'is not set' do
personal_access_token = create(:personal_access_token, user: user)
get :index, format: :atom, params: { private_token: personal_access_token.token }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment