diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6e98d66d712..7321f719deb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base end def set_session_storage(&block) + return yield if sessionless_user? + Gitlab::Session.with_session(session, &block) end diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb index 7a80da53025..956093b972b 100644 --- a/app/controllers/projects/git_http_client_controller.rb +++ b/app/controllers/projects/git_http_client_controller.rb @@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController alias_method :authenticated_user, :actor # Git clients will not know what authenticity token to send along + skip_around_action :set_session_storage skip_before_action :verify_authenticity_token skip_before_action :repository before_action :authenticate_user diff --git a/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml new file mode 100644 index 00000000000..a795e33b00d --- /dev/null +++ b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml @@ -0,0 +1,5 @@ +--- +title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP +merge_request: 29146 +author: +type: fixed diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 5ecd1b6b7c8..40669ec5451 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -691,4 +691,38 @@ describe ApplicationController do end end end + + context 'Gitlab::Session' do + controller(described_class) do + prepend_before_action do + authenticate_sessionless_user!(:rss) + end + + def index + if Gitlab::Session.current + head :created + else + head :not_found + end + end + end + + it 'is set on web requests' do + sign_in(user) + + get :index + + expect(response).to have_gitlab_http_status(:created) + end + + context 'with sessionless user' do + it 'is not set' do + personal_access_token = create(:personal_access_token, user: user) + + get :index, format: :atom, params: { private_token: personal_access_token.token } + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end