if (key = api_key_from_request)
# Use API key
user = User.find_by_api_key(key)
- else
+ elsif request.authorization.to_s =~ /\ABasic /i
# HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password|
user = User.try_to_login(username, password) || User.find_by_api_key(username)
# Find a user account by matching the exact login and then a case-insensitive
# version. Exact matches will be given priority.
def self.find_by_login(login)
+ login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s)
if login.present?
- login = login.to_s
# First look for an exact match
user = where(:login => login).detect {|u| u.login == login}
unless user
Setting.rest_api_enabled = '0'
end
+ def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+ ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+ get '/users/current.xml', {}, credentials('jsmith')
+ assert_response 401
+ end
+
+ def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+ ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+ get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+ assert_response 401
+ end
+
+ def test_invalid_utf8_credentials_should_not_trigger_an_error
+ invalid_utf8 = "\x82"
+ if invalid_utf8.respond_to?(:force_encoding)
+ invalid_utf8.force_encoding('UTF-8')
+ assert !invalid_utf8.valid_encoding?
+ end
+ assert_nothing_raised do
+ get '/users/current.xml', {}, credentials(invalid_utf8, "foo")
+ end
+ end
+
def test_api_request_should_not_use_user_session
log_user('jsmith', 'jsmith')
projects / redmine.git / commitdiff