diff options
Diffstat (limited to 'app/controllers/graphql_controller.rb')
-rw-r--r-- | app/controllers/graphql_controller.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb index 29bc48f93e9..1941920325f 100644 --- a/app/controllers/graphql_controller.rb +++ b/app/controllers/graphql_controller.rb @@ -255,6 +255,12 @@ class GraphqlController < ApplicationController end def authorize_access_api! + if current_user.nil? && + request_authenticator.authentication_token_present? && + Feature.enabled?(:invalid_graphql_auth_401) + render_error('Invalid token', status: :unauthorized) + end + return if can?(current_user, :access_api) render_error('API not accessible for user', status: :forbidden) @@ -301,6 +307,8 @@ class GraphqlController < ApplicationController end def introspection_query_can_use_cache? + return false if Gitlab.dev_or_test_env? + CACHED_INTROSPECTION_QUERY_STRING == graphql_query_object.query_string.squish end |