From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Thu, 23 Dec 2010 14:49:14 +0000 (+0000)
Subject: Makes the API accepts the X-Redmine-API-Key header to hold the API key.
X-Git-Tag: 1.1.0~37
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=07fe46e9dfc1567d24de4ff8799a1e1c048b2adc;p=redmine.git

Makes the API accepts the X-Redmine-API-Key header to hold the API key.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4573 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 7c84b99f6..803eb5f2e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -71,10 +71,10 @@ class ApplicationController < ActionController::Base
     elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
       # RSS key authentication does not start a session
       User.find_by_rss_key(params[:key])
-    elsif Setting.rest_api_enabled? && ['xml', 'json'].include?(params[:format])
-      if params[:key].present? && accept_key_auth_actions.include?(params[:action])
+    elsif Setting.rest_api_enabled? && api_request?
+      if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
         # Use API key
-        User.find_by_api_key(params[:key])
+        User.find_by_api_key(key)
       else
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
@@ -402,6 +402,15 @@ class ApplicationController < ActionController::Base
   def api_request?
     %w(xml json).include? params[:format]
   end
+  
+  # Returns the API key present in the request
+  def api_key_from_request
+    if params[:key].present?
+      params[:key]
+    elsif request.headers["X-Redmine-API-Key"].present?
+      request.headers["X-Redmine-API-Key"]
+    end
+  end
 
   # Renders a warning flash if obj has unsaved attachments
   def render_attachment_warning_if_needed(obj)
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 54681526a..be87c63f5 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -361,6 +361,20 @@ class ActiveSupport::TestCase
       end
     end
     
+    context "should allow key based auth using X-Redmine-API-Key header for #{http_method} #{url}" do
+      setup do
+        @user = User.generate_with_protected!(:admin => true)
+        @token = Token.generate!(:user => @user, :action => 'api')
+        send(http_method, url, parameters, {'X-Redmine-API-Key' => @token.value.to_s})
+      end
+      
+      should_respond_with success_code
+      should_respond_with_content_type_based_on_url(url)
+      should_be_a_valid_response_string_based_on_url(url)
+      should "login as the user" do
+        assert_equal @user, User.current
+      end
+    end
   end
 
   # Uses should_respond_with_content_type based on what's in the url: