From: Jean-Philippe Lang Date: Fri, 27 Jul 2012 18:24:42 +0000 (+0000) Subject: Do not user user session for API requests. X-Git-Tag: 2.1.0~238 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ed165f671620409c39830a7d8326d37c27ea2fc1;p=redmine.git Do not user user session for API requests. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10085 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 98a52a834..5a1774c04 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -86,25 +86,30 @@ class ApplicationController < ActionController::Base # Returns the current user or nil if no user is logged in # and starts a session if needed def find_current_user - if session[:user_id] - # existing session - (User.active.find(session[:user_id]) rescue nil) - elsif user = try_to_autologin - user - elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth? - # RSS key authentication does not start a session - User.find_by_rss_key(params[:key]) - elsif Setting.rest_api_enabled? && accept_api_auth? + user = nil + unless api_request? + if session[:user_id] + # existing session + user = (User.active.find(session[:user_id]) rescue nil) + elsif autologin_user = try_to_autologin + user = autologin_user + elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth? + # RSS key authentication does not start a session + user = User.find_by_rss_key(params[:key]) + end + end + if user.nil? && Setting.rest_api_enabled? && accept_api_auth? if (key = api_key_from_request) # Use API key - User.find_by_api_key(key) + user = User.find_by_api_key(key) else # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| - User.try_to_login(username, password) || User.find_by_api_key(username) + user = User.try_to_login(username, password) || User.find_by_api_key(username) end end end + user end def try_to_autologin diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb new file mode 100644 index 000000000..10527431a --- /dev/null +++ b/test/integration/api_test/authentication_test.rb @@ -0,0 +1,32 @@ +# Redmine - project management software +# Copyright (C) 2006-2012 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../../test_helper', __FILE__) + +class ApiTest::AuthenticationTest < ActionController::IntegrationTest + fixtures :users + + def test_api_request_should_not_use_user_session + log_user('jsmith', 'jsmith') + + get '/users/current' + assert_response :success + + get '/users/current.json' + assert_response 401 + end +end