From bcd813c0958b10a9b87e162a85a434255002e027 Mon Sep 17 00:00:00 2001
From: Mayra Cabrera <mcabrera@gitlab.com>
Date: Tue, 9 Jul 2019 03:58:49 +0000
Subject: [PATCH] Limit user information to RackAttack throttles

rack.attack.match_discriminator is only return on
throttle_authenticated_api or throttle_authenticated_web requests, so
we're avoiding logging user_id on blacklist requests

Follow up of https://gitlab.com/gitlab-org/gitlab-ce/issues/62756
---
 config/initializers/rack_attack_logging.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb
index 338e968cc6c..7eb34bd69e5 100644
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
@@ -12,7 +12,7 @@ ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, r
       fullpath: req.fullpath
     }
 
-    if req.env['rack.attack.matched'] != 'throttle_unauthenticated'
+    if %w(throttle_authenticated_api throttle_authenticated_web).include? req.env['rack.attack.matched']
       user_id = req.env['rack.attack.match_discriminator']
       user = User.find_by(id: user_id)