summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2012-07-27 18:24:42 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2012-07-27 18:24:42 +0000
commited165f671620409c39830a7d8326d37c27ea2fc1 (patch)
tree23d952509780d6294e30f2e3a8897c4bfe805fc6
parent8ed4620bb9e7b30cadea15aa6a4b499a5f165ea1 (diff)
downloadredmine-ed165f671620409c39830a7d8326d37c27ea2fc1.tar.gz
redmine-ed165f671620409c39830a7d8326d37c27ea2fc1.zip
Do not user user session for API requests.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10085 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--app/controllers/application_controller.rb27
-rw-r--r--test/integration/api_test/authentication_test.rb32
2 files changed, 48 insertions, 11 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 98a52a834..5a1774c04 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -86,25 +86,30 @@ class ApplicationController < ActionController::Base
# Returns the current user or nil if no user is logged in
# and starts a session if needed
def find_current_user
- if session[:user_id]
- # existing session
- (User.active.find(session[:user_id]) rescue nil)
- elsif user = try_to_autologin
- user
- elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
- # RSS key authentication does not start a session
- User.find_by_rss_key(params[:key])
- elsif Setting.rest_api_enabled? && accept_api_auth?
+ user = nil
+ unless api_request?
+ if session[:user_id]
+ # existing session
+ user = (User.active.find(session[:user_id]) rescue nil)
+ elsif autologin_user = try_to_autologin
+ user = autologin_user
+ elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
+ # RSS key authentication does not start a session
+ user = User.find_by_rss_key(params[:key])
+ end
+ end
+ if user.nil? && Setting.rest_api_enabled? && accept_api_auth?
if (key = api_key_from_request)
# Use API key
- User.find_by_api_key(key)
+ user = User.find_by_api_key(key)
else
# HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password|
- User.try_to_login(username, password) || User.find_by_api_key(username)
+ user = User.try_to_login(username, password) || User.find_by_api_key(username)
end
end
end
+ user
end
def try_to_autologin
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
new file mode 100644
index 000000000..10527431a
--- /dev/null
+++ b/test/integration/api_test/authentication_test.rb
@@ -0,0 +1,32 @@
+# Redmine - project management software
+# Copyright (C) 2006-2012 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require File.expand_path('../../../test_helper', __FILE__)
+
+class ApiTest::AuthenticationTest < ActionController::IntegrationTest
+ fixtures :users
+
+ def test_api_request_should_not_use_user_session
+ log_user('jsmith', 'jsmith')
+
+ get '/users/current'
+ assert_response :success
+
+ get '/users/current.json'
+ assert_response 401
+ end
+end