Implement path dependent feed_token (!122636) · Merge requests · GitLab.org / GitLab

Joern Schneeweisz requested to merge new-feed-token into master Jun 05, 2023

What does this MR do and why?

Implement Defense in depth: path dependent feed token (#414257 - closed) to add per-path feed/calendar token.

How to set up and validate locally

go to any issues list and click the Subscribe to RSS feed / Subscribe to calendar links
Observe the feed_token parameter in the form glft-64CHARHEXSTRING-CURRENTUSERID

This type of feed_token will only work for the URL it was generated for. So user/project1/-/issues.atom will have a different feed_token than user/project2/-/issues.atom or user/project1/-/merge_requests.atom.

The feed token under /-/profile/personal_access_tokens will still work for any RSS/ics feed and it also can be used to generate the per-path token.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 14, 2023 by Dominic Couture

Implement path dependent feed_token

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports