From 58ff842d34d7e93df149a6beda0f822a7b144615 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sat, 22 Feb 2014 12:09:58 +0000 Subject: [PATCH] Trigger basic HTTP authentication only when Basic authorization header is present (#16107). git-svn-id: http://svn.redmine.org/redmine/trunk@12915 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 2 +- test/integration/api_test/authentication_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b297aa738..43257b2bf 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base if (key = api_key_from_request) # Use API key user = User.find_by_api_key(key) - else + elsif request.authorization.to_s =~ /\ABasic /i # HTTP Basic, either username/password or API key/random authenticate_with_http_basic do |username, password| user = User.try_to_login(username, password) || User.find_by_api_key(username) diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb index 3a6a4d696..016ab11d2 100644 --- a/test/integration/api_test/authentication_test.rb +++ b/test/integration/api_test/authentication_test.rb @@ -28,6 +28,16 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base Setting.rest_api_enabled = '0' end + def test_api_should_trigger_basic_http_auth_with_basic_authorization_header + ApplicationController.any_instance.expects(:authenticate_with_http_basic).once + get '/users/current.xml', {}, credentials('admin') + end + + def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header + ApplicationController.any_instance.expects(:authenticate_with_http_basic).never + get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar' + end + def test_api_request_should_not_use_user_session log_user('jsmith', 'jsmith')