From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Fri, 24 Nov 2017 17:18:11 +0000 (-0500)
Subject: 11453: Check HTTP method of token validation request.
X-Git-Tag: 1.1.2~25^2~18
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/d62abcbe1fe0fcf0ce65cb7ea812db307b734a45

11453: Check HTTP method of token validation request.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---

diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 3d680cbfb9..105b00faa4 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -26,7 +26,7 @@ class ArvadosApiToken
       env["HTTP_AUTHORIZATION"].andand.
         match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
 
-    if params[:remote] && (
+    if params[:remote] && request.get? && (
          request.path.start_with?('/arvados/v1/groups') ||
          request.path.start_with?('/arvados/v1/users/current'))
       # Request from a remote API server, asking to validate a salted