Support download access by PRIVATE-TOKEN header

Currently there is no way to download a raw file without embedding the token in the URL, which exposes the token in the URL. There should be an way of sending this information via the header as the API does. Closes https://github.com/gitlabhq/gitlabhq/issues/8137
author: Stan Hu <stanhu@gmail.com> 2016-01-20 23:00:28 +0300
committer: Rémy Coutable <remy@rymai.me> 2016-02-03 17:42:24 +0300
commit: 7aa739ddc720dcba42a2f54934b10f369d4cf566 (patch)
tree: 03a2ab63badff13838d7a3240e0fb043061a2947 /app/controllers/application_controller.rb
parent: bb51e9c66ee91f70f11f210b03fe0a36885bb05d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 824175c8a6c..7fa2f68ef07 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -60,6 +60,8 @@ class ApplicationController < ActionController::Base
                    params[:authenticity_token].presence
                  elsif params[:private_token].presence
                    params[:private_token].presence
+                 elsif request.headers['PRIVATE-TOKEN'].present?
+                   request.headers['PRIVATE-TOKEN']
                  end
     user = user_token && User.find_by_authentication_token(user_token.to_s)
author	Stan Hu <stanhu@gmail.com>	2016-01-20 23:00:28 +0300
committer	Rémy Coutable <remy@rymai.me>	2016-02-03 17:42:24 +0300
commit	7aa739ddc720dcba42a2f54934b10f369d4cf566 (patch)
tree	03a2ab63badff13838d7a3240e0fb043061a2947 /app/controllers/application_controller.rb
parent	bb51e9c66ee91f70f11f210b03fe0a36885bb05d (diff)