Fix JSON responses returning 302 instead of 401 (!19409) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-fix-issue-35289 into master Oct 30, 2019

Originally, URLs such as http://localhost:3000/h5bp/non-existent-project/blob/master/test.txt returned a 401 instead of a 302 if the user was not logged in.

If ProjectUrlConstrainer doesn't return true, it gets caught by our wildcard route:

get '*unmatched_route', to: 'application#route_not_found'

This has a glob but format: false is not set so the end part is still treated as the format param of this route (i.e. something like *unmatched_route(.:format)).

This change makes it so that only those that get caught by *unmatched_route' are forced a redirect and #find_routable! which calls requests.

Closes https://gitlab.com/gitlab-org/gitlab/issues/35289

Edited Oct 30, 2019 by Stan Hu

Fix JSON responses returning 302 instead of 401

Merge request reports