diff options
Diffstat (limited to 'lib/api/api_guard.rb')
-rw-r--r-- | lib/api/api_guard.rb | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index df550f12c0d..81a640d9a93 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -57,10 +57,7 @@ module API user = find_user_from_sources return unless user - if user.is_a?(User) && Gitlab::CurrentSettings.admin_mode - # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode - Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) - end + Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if bypass_session_for_admin_mode?(user) unless api_access_allowed?(user) forbidden!(api_access_denied_message(user)) @@ -85,6 +82,16 @@ module API private + def bypass_session_for_admin_mode?(user) + return user.is_a?(User) && Gitlab::CurrentSettings.admin_mode if Feature.disabled?(:admin_mode_for_api) + + return false unless Gitlab::CurrentSettings.admin_mode + return false unless user.is_a?(User) + + Gitlab::Session.with_session(current_request.session) { Gitlab::Auth::CurrentUserMode.new(user).admin_mode? } || + Gitlab::Auth::RequestAuthenticator.new(current_request).valid_access_token?(scopes: [:admin_mode]) + end + # An array of scopes that were registered (using `allow_access_with_scope`) # for the current endpoint class. It also returns scopes registered on # `API::API`, since these are meant to apply to all API routes. |