Project

General

Profile

Download (3.17 KB)

Feature #30086 » 30086-http-status-code-403.patch

Yuichi HARADA, 2018-12-10 03:18

View differences:

app/controllers/application_controller.rb
229 229 
        format.any(:atom, :pdf, :csv) {
230 230 
          redirect_to signin_path(:back_url => url)
231 231 
        }
232 
        format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
232 
        format.api  {
233 
          if Setting.rest_api_enabled? && accept_api_auth?
234 
            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
235 
          else
236 
            head(:forbidden)
237 
          end
238 
        }
233 239 
        format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
234 
        format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
235 240 
        format.any  { head :unauthorized }
236 241 
      end
237 242 
      return false
test/integration/api_test/disabled_rest_api_test.rb
41 41 
    @token = Token.create!(:user => @user, :action => 'api')
42 42 

  		




  43
  43
  
    
    get "/news.xml?key=#{@token.value}"

  		




  44
  
  
    
    assert_response :unauthorized

  		




  
  44
  
    
    assert_response :forbidden

  		




  45
  45
  
    
    assert_equal User.anonymous, User.current

  		




  46
  46
  
    

  		




  47
  47
  
    
    get "/news.json?key=#{@token.value}"

  		




  48
  
  
    
    assert_response :unauthorized

  		




  
  48
  
    
    assert_response :forbidden

  		




  49
  49
  
    
    assert_equal User.anonymous, User.current

  		




  50
  50
  
    
  end

  		




  51
  51
  
    

  		




  ......




  55
  55
  
    
    end

  		




  56
  56
  
    

  		




  57
  57
  
    
    get "/news.xml", :headers => credentials(@user.login, 'my_password')

  		




  58
  
  
    
    assert_response :unauthorized

  		




  
  58
  
    
    assert_response :forbidden

  		




  59
  59
  
    
    assert_equal User.anonymous, User.current

  		




  60
  60
  
    

  		




  61
  61
  
    
    get "/news.json", :headers => credentials(@user.login, 'my_password')

  		




  62
  
  
    
    assert_response :unauthorized

  		




  
  62
  
    
    assert_response :forbidden

  		




  
  63
  
    
    assert_equal User.anonymous, User.current

  		




  
  64
  
    
  end

  		




  
  65
  
    

  		




  
  66
  
    
  def test_with_valid_username_and_wrong_password_http_authentication

  		




  
  67
  
    
    @user = User.generate! do |user|

  		




  
  68
  
    
      user.password = 'my_password'

  		




  
  69
  
    
    end

  		




  
  70
  
    

  		




  
  71
  
    
    get '/news.xml', :headers => credentials(@user.login, 'wrong_password')

  		




  
  72
  
    
    assert_response :forbidden

  		




  
  73
  
    
    assert_equal User.anonymous, User.current

  		




  
  74
  
    

  		




  
  75
  
    
    get "/news.json", :headers => credentials(@user.login, 'wrong_password')

  		




  
  76
  
    
    assert_response :forbidden

  		




  63
  77
  
    
    assert_equal User.anonymous, User.current

  		




  64
  78
  
    
  end

  		




  65
  79
  
    

  		




  ......




  68
  82
  
    
    @token = Token.create!(:user => @user, :action => 'api')

  		




  69
  83
  
    

  		




  70
  84
  
    
    get "/news.xml", :headers => credentials(@token.value, 'X')

  		




  71
  
  
    
    assert_response :unauthorized

  		




  
  85
  
    
    assert_response :forbidden

  		




  72
  86
  
    
    assert_equal User.anonymous, User.current

  		




  73
  87
  
    

  		




  74
  88
  
    
    get "/news.json", :headers => credentials(@token.value, 'X')

  		




  75
  
  
    
    assert_response :unauthorized

  		




  
  89
  
    
    assert_response :forbidden

  		




  76
  90
  
    
    assert_equal User.anonymous, User.current

  		




  77
  91
  
    
  end

  		




  78
  92
  
    
end

  		















  (1-1/2)