diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-07-27 18:24:42 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-07-27 18:24:42 +0000 |
commit | ed165f671620409c39830a7d8326d37c27ea2fc1 (patch) | |
tree | 23d952509780d6294e30f2e3a8897c4bfe805fc6 | |
parent | 8ed4620bb9e7b30cadea15aa6a4b499a5f165ea1 (diff) | |
download | redmine-ed165f671620409c39830a7d8326d37c27ea2fc1.tar.gz redmine-ed165f671620409c39830a7d8326d37c27ea2fc1.zip |
Do not user user session for API requests.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10085 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r-- | app/controllers/application_controller.rb | 27 | ||||
-rw-r--r-- | test/integration/api_test/authentication_test.rb | 32 |
2 files changed, 48 insertions, 11 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 98a52a834..5a1774c04 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -86,25 +86,30 @@ class ApplicationController < ActionController::Base # Returns the current user or nil if no user is logged in # and starts a session if needed def find_current_user - if session[:user_id] - # existing session - (User.active.find(session[:user_id]) rescue nil) - elsif user = try_to_autologin - user - elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth? - # RSS key authentication does not start a session - User.find_by_rss_key(params[:key]) - elsif Setting.rest_api_enabled? && accept_api_auth? + user = nil + unless api_request? + if session[:user_id] + # existing session + user = (User.active.find(session[:user_id]) rescue nil) + elsif autologin_user = try_to_autologin + user = autologin_user + elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth? + # RSS key authentication does not start a session + user = User.find_by_rss_key(params[:key]) + end + end + if user.nil? && Setting.rest_api_enabled? && accept_api_auth? if (key = api_key_from_request) # Use API key - User.find_by_api_key(key) + user = User.find_by_api_key(key) else # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| - User.try_to_login(username, password) || User.find_by_api_key(username) + user = User.try_to_login(username, password) || User.find_by_api_key(username) end end end + user end def try_to_autologin diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb new file mode 100644 index 000000000..10527431a --- /dev/null +++ b/test/integration/api_test/authentication_test.rb @@ -0,0 +1,32 @@ +# Redmine - project management software +# Copyright (C) 2006-2012 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../../test_helper', __FILE__) + +class ApiTest::AuthenticationTest < ActionController::IntegrationTest + fixtures :users + + def test_api_request_should_not_use_user_session + log_user('jsmith', 'jsmith') + + get '/users/current' + assert_response :success + + get '/users/current.json' + assert_response 401 + end +end |