From 988b28ec1a379d38f6ac9ed04886ee564fd447fd Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 2 Mar 2020 12:07:57 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/controllers/graphql_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'app/controllers/graphql_controller.rb')

diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index d7ff2ded5ae..522d171b5bf 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -15,6 +15,11 @@ class GraphqlController < ApplicationController
   before_action :authorize_access_api!
   before_action(only: [:execute]) { authenticate_sessionless_user!(:api) }
 
+  # Since we deactivate authentication from the main ApplicationController and
+  # defer it to :authorize_access_api!, we need to override the bypass session
+  # callback execution order here
+  around_action :sessionless_bypass_admin_mode!, if: :sessionless_user?
+
   def execute
     result = multiplex? ? execute_multiplex : execute_query
 
-- 
cgit v1.2.3