Trigger basic HTTP authentication only when Basic authorization header is present (#16107).

git-svn-id: http://svn.redmine.org/redmine/trunk@12915 e93f8b46-1217-0410-a6f0-8f06a7374b81
2014-02-22 12:09:58 +00:00 · 2014-02-22 12:09:58 +00:00 · 58ff842d34
parent 98e299857b
commit 58ff842d34
2 changed files with 11 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base
      if (key = api_key_from_request)
        # Use API key
        user = User.find_by_api_key(key)
-      else
+      elsif request.authorization.to_s =~ /\ABasic /i
        # HTTP Basic, either username/password or API key/random
        authenticate_with_http_basic do |username, password|
          user = User.try_to_login(username, password) || User.find_by_api_key(username)
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@ -28,6 +28,16 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
    Setting.rest_api_enabled = '0'
  end

+  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+    get '/users/current.xml', {}, credentials('admin')
+  end
+
+  def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+    get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+  end
+
  def test_api_request_should_not_use_user_session
    log_user('jsmith', 'jsmith')