diff options
author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 22:06:02 +0300 |
---|---|---|
committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-29 03:13:59 +0300 |
commit | fe5f75930e781ef854b458fafa307ebb90a8ed2e (patch) | |
tree | 7160814e28d056568685e8fe84456755ce02fecd /config | |
parent | e122e14ac6a25c7813ca888a97bd4a3298e78d9d (diff) |
Merge branch 'security-fix-pat-web-access' into 'master'
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
Diffstat (limited to 'config')
-rw-r--r-- | config/initializers/rack_attack_global.rb | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb index 45963831c41..86cb930eca9 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_global.rb @@ -33,22 +33,22 @@ class Rack::Attack throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req| Gitlab::Throttle.settings.throttle_authenticated_api_enabled && req.api_request? && - req.authenticated_user_id + req.authenticated_user_id([:api]) end throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req| Gitlab::Throttle.settings.throttle_authenticated_web_enabled && req.web_request? && - req.authenticated_user_id + req.authenticated_user_id([:api, :rss, :ics]) end class Request def unauthenticated? - !authenticated_user_id + !authenticated_user_id([:api, :rss, :ics]) end - def authenticated_user_id - Gitlab::Auth::RequestAuthenticator.new(self).user&.id + def authenticated_user_id(request_formats) + Gitlab::Auth::RequestAuthenticator.new(self).user(request_formats)&.id end def api_request? |