diff options
author | Nick Thomas <nick@gitlab.com> | 2019-03-27 17:59:03 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-03-27 17:59:03 +0300 |
commit | 98824f3e97e24a5d6cb0688167bc8411a74739fc (patch) | |
tree | a763b5e4a28ba39c0bff6abd9804063f8d1f2cf9 /app | |
parent | b78aa81f323d16b71af40e2f6fc201d7e7a9a855 (diff) | |
parent | 73b553a42a1dec7bd38e0aeeb5514c2a566a98c9 (diff) |
Merge branch 'issue_58547' into 'master'
Add API access check to Graphql
Closes #58547
See merge request gitlab-org/gitlab-ce!26570
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/graphql_controller.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index e147d32be2e..7b5dc22815c 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -12,6 +12,7 @@ class GraphqlController < ApplicationController protect_from_forgery with: :null_session, only: :execute before_action :check_graphql_feature_flag! + before_action :authorize_access_api! before_action(only: [:execute]) { authenticate_sessionless_user!(:api) } def execute @@ -37,6 +38,10 @@ class GraphqlController < ApplicationController private + def authorize_access_api! + access_denied!("API not accessible for user.") unless can?(current_user, :access_api) + end + # Overridden from the ApplicationController to make the response look like # a GraphQL response. That is nicely picked up in Graphiql. def render_404 |