Merge branch 'master' into all-filter-toggleall-filter-toggle

author: Phil Hughes <me@iamphill.com> 2016-10-12 12:00:49 +0300
committer: Phil Hughes <me@iamphill.com> 2016-10-12 12:00:49 +0300
commit: e5eab3bd000908dff4e03b9c19e88689071c81b5 (patch)
tree: 32e85ed38d1546db4a7fd2760bae626981e24b12 /lib/api/helpers.rb
parent: 533a6fa765ad09368b42d29536c549d68ba7b8d1 (diff)
parent: d3a9838065ab4cd4d1519f6d201b43c9a2b12f2c (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 714d4ea3dc6..67473f300c9 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
     end
 
     # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
     def find_user_from_warden
-      warden ? warden.authenticate : nil
+      warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
     end
 
     def find_user_by_private_token
@@ -430,7 +433,7 @@ module API
     end
 
     def secret_token
-      File.read(Gitlab.config.gitlab_shell.secret_file).chomp
+      Gitlab::Shell.secret_token
     end
 
     def send_git_blob(repository, blob)
author	Phil Hughes <me@iamphill.com>	2016-10-12 12:00:49 +0300
committer	Phil Hughes <me@iamphill.com>	2016-10-12 12:00:49 +0300
commit	e5eab3bd000908dff4e03b9c19e88689071c81b5 (patch)
tree	32e85ed38d1546db4a7fd2760bae626981e24b12 /lib/api/helpers.rb
parent	533a6fa765ad09368b42d29536c549d68ba7b8d1 (diff)
parent	d3a9838065ab4cd4d1519f6d201b43c9a2b12f2c (diff)