Don't set gon variables in JSON requests

ffcf50c8 · Peter Leitzen · Tim Zallmann · 7a3d74af · ffcf50c8 · ffcf50c8
Commit ffcf50c8 authored 6 years ago by Peter Leitzen Committed by Tim Zallmann 6 years ago
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,13 +20,13 @@ class ApplicationController < ActionController::Base
  before_action :ldap_security_check
  before_action :sentry_context
  before_action :default_headers
-  before_action :add_gon_variables, unless: :peek_request?
+  before_action :add_gon_variables, unless: [:peek_request?, :json_request?]
  before_action :configure_permitted_parameters, if: :devise_controller?
  before_action :require_email, unless: :devise_controller?
  
  around_action :set_locale
  
-  after_action :set_page_title_header, if: -> { request.format == :json }
+  after_action :set_page_title_header, if: :json_request?
  
  protect_from_forgery with: :exception, prepend: true
  
@@ -424,6 +424,10 @@ class ApplicationController < ActionController::Base
    request.path.start_with?('/-/peek')
  end
  
+  def json_request?
+    request.format.json?
+  end
+
  def should_enforce_terms?
    return false unless Gitlab::CurrentSettings.current_application_settings.enforce_terms
  

--- a/changelogs/unreleased/pl-json-gon.yml
+++ b/changelogs/unreleased/pl-json-gon.yml
+---
+title: Don't set gon variables in JSON requests
+merge_request: 21016
+author: Peter Leitzen
+type: performance
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -56,6 +56,57 @@ describe ApplicationController do
    end
  end
  
+  describe '#add_gon_variables' do
+    before do
+      Gon.clear
+      sign_in user
+    end
+
+    let(:json_response) { JSON.parse(response.body) }
+
+    controller(described_class) do
+      def index
+        render json: Gon.all_variables
+      end
+    end
+
+    shared_examples 'setting gon variables' do
+      it 'sets gon variables' do
+        get :index, format: format
+
+        expect(json_response.size).not_to be_zero
+      end
+    end
+
+    shared_examples 'not setting gon variables' do
+      it 'does not set gon variables' do
+        get :index, format: format
+
+        expect(json_response.size).to be_zero
+      end
+    end
+
+    context 'with html format' do
+      let(:format) { :html }
+
+      it_behaves_like 'setting gon variables'
+
+      context 'for peek requests' do
+        before do
+          request.path = '/-/peek'
+        end
+
+        it_behaves_like 'not setting gon variables'
+      end
+    end
+
+    context 'with json format' do
+      let(:format) { :json }
+
+      it_behaves_like 'not setting gon variables'
+    end
+  end
+
  describe "#authenticate_user_from_personal_access_token!" do
    before do
      stub_authentication_activity_metrics(debug: false)