11453: Check HTTP method of token validation request.

[arvados.git] / services / api / app / middlewares / arvados_api_token.rb

diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 3d680cbfb93578d28dd7e3dbc3706d769e1e7742..105b00faa4dc4d108737949381f9f5c40d8c17ca 100644 (file)
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -26,7 +26,7 @@ class ArvadosApiToken
       env["HTTP_AUTHORIZATION"].andand.
         match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
 
-    if params[:remote] && (
+    if params[:remote] && request.get? && (
          request.path.start_with?('/arvados/v1/groups') ||
          request.path.start_with?('/arvados/v1/users/current'))
       # Request from a remote API server, asking to validate a salted