Allow Session requests on GET without frontend header

This is required since now attachments are displayed through apiv3 URLs.
GET requests are safe to request without the header present.
pull/6346/head
Oliver Günther 6 years ago
parent 22178e12d9
commit 7d8526d77f
No known key found for this signature in database
GPG Key ID: 88872239EB414F99
  1. 11
      lib/open_project/authentication/strategies/warden/session.rb

@ -12,7 +12,16 @@ module OpenProject
include ::OpenProject::Authentication::SessionExpiry
def valid?
session && !session_ttl_expired? && xml_request_header_set?
# A session must exist and valid
return false if session.nil? || session_ttl_expired?
# We allow GET requests on the API session
# without headers (e.g., for images on attachments)
return true if request.get?
# For all other requests, to mitigate CSRF vectors,
# require the frontend header to be present.
xml_request_header_set?
end
def authenticate!

Loading…
Cancel
Save