Skip to content

Do not validate CSRF token in API unless needed

Douwe Maan requested to merge dm-api-current-user into master

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/35705

Calling current_user automatically triggers CSRF token validation, and we were calling current_user even in cases where we knew we didn't need it through a before.

/cc @stanhu @ayufan

Merge request reports