Do not user user session for API requests.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10085 e93f8b46-1217-0410-a6f0-8f06a7374b81
2012-07-27 18:24:42 +00:00 · 2012-07-27 18:24:42 +00:00 · ed165f6716
parent 8ed4620bb9
commit ed165f6716
2 changed files with 48 additions and 11 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -86,25 +86,30 @@ class ApplicationController < ActionController::Base
  # Returns the current user or nil if no user is logged in
  # and starts a session if needed
  def find_current_user
-    if session[:user_id]
-      # existing session
-      (User.active.find(session[:user_id]) rescue nil)
-    elsif user = try_to_autologin
-      user
-    elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
-      # RSS key authentication does not start a session
-      User.find_by_rss_key(params[:key])
-    elsif Setting.rest_api_enabled? && accept_api_auth?
+    user = nil
+    unless api_request?
+      if session[:user_id] 
+        # existing session
+        user = (User.active.find(session[:user_id]) rescue nil)
+      elsif autologin_user = try_to_autologin
+        user = autologin_user
+      elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
+        # RSS key authentication does not start a session
+        user = User.find_by_rss_key(params[:key])
+      end
+    end
+    if user.nil? && Setting.rest_api_enabled? && accept_api_auth?
      if (key = api_key_from_request)
        # Use API key
-        User.find_by_api_key(key)
+        user = User.find_by_api_key(key)
      else
        # HTTP Basic, either username/password or API key/random
        authenticate_with_http_basic do |username, password|
-          User.try_to_login(username, password) || User.find_by_api_key(username)
+          user = User.try_to_login(username, password) || User.find_by_api_key(username)
        end
      end
    end
+    user
  end

  def try_to_autologin
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@ -0,0 +1,32 @@
+# Redmine - project management software
+# Copyright (C) 2006-2012  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../../test_helper', __FILE__)
+
+class ApiTest::AuthenticationTest < ActionController::IntegrationTest
+  fixtures :users
+
+  def test_api_request_should_not_use_user_session
+    log_user('jsmith', 'jsmith')
+
+    get '/users/current'
+    assert_response :success
+
+    get '/users/current.json'
+    assert_response 401
+  end
+end