Browse Source
Use HTTP status code 403 instead of 401 when REST API is disabled (#30086).
Patch by Yuichi HARADA. git-svn-id: http://svn.redmine.org/redmine/trunk@18055 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/4.1.0
Go MAEDA
5 years ago
2 changed files with 13 additions and 8 deletions
+ 7
- 2
app/controllers/application_controller.rb
View File
| @@ -231,9 +231,14 @@ class ApplicationController < ActionController::Base | |||
| format.any(:atom, :pdf, :csv) { | |||
| redirect_to signin_path(:back_url => url) | |||
| } | |||
| format.xml { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' } | |||
| format.api { | |||
| if Setting.rest_api_enabled? && accept_api_auth? | |||
| head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"') | |||
| else | |||
| head(:forbidden) | |||
| end | |||
| } | |||
| format.js { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' } | |||
| format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' } | |||
| format.any { head :unauthorized } | |||
| end | |||
| return false | |||
+ 6
- 6
test/integration/api_test/disabled_rest_api_test.rb
View File
| @@ -43,11 +43,11 @@ class Redmine::ApiTest::DisabledRestApiTest < Redmine::ApiTest::Base | |||
| @token = Token.create!(:user => @user, :action => 'api') | |||
| get "/news.xml?key=#{@token.value}" | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| get "/news.json?key=#{@token.value}" | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| end | |||
| @@ -57,11 +57,11 @@ class Redmine::ApiTest::DisabledRestApiTest < Redmine::ApiTest::Base | |||
| end | |||
| get "/news.xml", :headers => credentials(@user.login, 'my_password') | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| get "/news.json", :headers => credentials(@user.login, 'my_password') | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| end | |||
| @@ -70,11 +70,11 @@ class Redmine::ApiTest::DisabledRestApiTest < Redmine::ApiTest::Base | |||
| @token = Token.create!(:user => @user, :action => 'api') | |||
| get "/news.xml", :headers => credentials(@token.value, 'X') | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| get "/news.json", :headers => credentials(@token.value, 'X') | |||
| assert_response :unauthorized | |||
| assert_response :forbidden | |||
| assert_equal User.anonymous, User.current | |||
| end | |||
| end | |||
Loading…