From fe5f75930e781ef854b458fafa307ebb90a8ed2e Mon Sep 17 00:00:00 2001
From: Cindy Pallares <cindy@gitlab.com>
Date: Wed, 28 Nov 2018 19:06:02 +0000
Subject: Merge branch 'security-fix-pat-web-access' into 'master'

[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"

See merge request gitlab/gitlabhq!2583
---
 app/controllers/groups_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'app/controllers/groups_controller.rb')

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 062c8c4e9e1..c5d8ac2ed77 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -9,6 +9,9 @@ class GroupsController < Groups::ApplicationController
 
   respond_to :html
 
+  prepend_before_action(only: [:show, :issues]) { authenticate_sessionless_user!(:rss) }
+  prepend_before_action(only: [:issues_calendar]) { authenticate_sessionless_user!(:ics) }
+
   before_action :authenticate_user!, only: [:new, :create]
   before_action :group, except: [:index, :new, :create]
 
-- 
cgit v1.2.3