Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/lib/api/api_guard.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/api/api_guard.rb')
-rw-r--r--lib/api/api_guard.rb15
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index df550f12c0d..81a640d9a93 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -57,10 +57,7 @@ module API
user = find_user_from_sources
return unless user
- if user.is_a?(User) && Gitlab::CurrentSettings.admin_mode
- # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode
- Gitlab::Auth::CurrentUserMode.bypass_session!(user.id)
- end
+ Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if bypass_session_for_admin_mode?(user)
unless api_access_allowed?(user)
forbidden!(api_access_denied_message(user))
@@ -85,6 +82,16 @@ module API
private
+ def bypass_session_for_admin_mode?(user)
+ return user.is_a?(User) && Gitlab::CurrentSettings.admin_mode if Feature.disabled?(:admin_mode_for_api)
+
+ return false unless Gitlab::CurrentSettings.admin_mode
+ return false unless user.is_a?(User)
+
+ Gitlab::Session.with_session(current_request.session) { Gitlab::Auth::CurrentUserMode.new(user).admin_mode? } ||
+ Gitlab::Auth::RequestAuthenticator.new(current_request).valid_access_token?(scopes: [:admin_mode])
+ end
+
# An array of scopes that were registered (using `allow_access_with_scope`)
# for the current endpoint class. It also returns scopes registered on
# `API::API`, since these are meant to apply to all API routes.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 14:07:17 +0300