Trigger basic HTTP authentication only when Basic authorization header is present (#16107).

git-svn-id: http://svn.redmine.org/redmine/trunk@12915 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application_controller.rb

@@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base
       if (key = api_key_from_request)
         # Use API key
         user = User.find_by_api_key(key)
-      else
+      elsif request.authorization.to_s =~ /\ABasic /i
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
           user = User.try_to_login(username, password) || User.find_by_api_key(username)

test/integration/api_test/authentication_test.rb

@@ -28,6 +28,16 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '0'
   end
 
+  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+    get '/users/current.xml', {}, credentials('admin')
+  end
+
+  def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+    get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+  end
+
   def test_api_request_should_not_use_user_session
     log_user('jsmith', 'jsmith')