Don't try to find a user by personal_access_token if the token is nil (!10146) · Merge requests · GitLab.org / GitLab FOSS

username-removed-128633 requested to merge dont-find-by-token-when-no-token-is-present into master Mar 22, 2017

What does this MR do?

Out of luck, I found that we're running User.find_by_personal_access_token on each page load, whether a private_token param/PRIVATE-TOKEN header is present or not!

Fortunately, User.find_by_authentication_token already avoid running a query when token is not present, but User.find_by_personal_access_token was not.

This was resulting in the following, on each request:

Started GET "/" for 127.0.0.1 at 2017-03-22 15:31:02 +0100
Processing by RootController#index as HTML
  PersonalAccessToken Load (0.4ms)  SELECT  "personal_access_tokens".* FROM "personal_access_tokens" WHERE (revoked = false AND (expires_at >= NOW() OR expires_at IS NULL)) AND "personal_access_tokens"."token" IS NULL LIMIT 1

Are there points in the code the reviewer needs to double check?

I don't think so.

Admin message

Admin message

Don't try to find a user by personal_access_token if the token is nil

What does this MR do?

Are there points in the code the reviewer needs to double check?

Merge request reports