Merge branch '22435-no-api-state-change-via-rails-session' into 'security'

API: disable rails session auth for non-GET/HEAD requests Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22435 See merge request !1999 Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Douwe Maan <douwe@gitlab.com> 2016-09-28 17:44:11 +0300
committer: Rémy Coutable <remy@rymai.me> 2016-09-28 18:49:32 +0300
commit: 4f1a1bbc2b0501dd7ba227597e115517e3a1fb3f (patch)
tree: 41638f2a08bbf34c280b2829ce0daade617f26ad /CHANGELOG
parent: 9989f9493513af633f537196d47120bb821d9350 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 8489df5c9a2..81f9ea2de5d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 v 8.11.8
   - Respect the fork_project permission when forking projects
   - Set a restrictive CORS policy on the API for credentialed requests
+  - API: disable rails session auth for non-GET/HEAD requests
 
 v 8.11.7
   - Avoid conflict with admin labels when importing GitHub labels. !6158
author	Douwe Maan <douwe@gitlab.com>	2016-09-28 17:44:11 +0300
committer	Rémy Coutable <remy@rymai.me>	2016-09-28 18:49:32 +0300
commit	4f1a1bbc2b0501dd7ba227597e115517e3a1fb3f (patch)
tree	41638f2a08bbf34c280b2829ce0daade617f26ad /CHANGELOG
parent	9989f9493513af633f537196d47120bb821d9350 (diff)