Project

General

Profile

Download (2.7 KB)

Feature #30086 » 30086-http-status-code-403-v2.patch

Go MAEDA, 2019-02-25 13:33

View differences:

app/controllers/application_controller.rb
229 229 
        format.any(:atom, :pdf, :csv) {
230 230 
          redirect_to signin_path(:back_url => url)
231 231 
        }
232 
        format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
232 
        format.api  {
233 
          if Setting.rest_api_enabled? && accept_api_auth?
234 
            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
235 
          else
236 
            head(:forbidden)
237 
          end
238 
        }
233 239 
        format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
234 
        format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
235 240 
        format.any  { head :unauthorized }
236 241 
      end
237 242 
      return false
test/integration/api_test/disabled_rest_api_test.rb
41 41 
    @token = Token.create!(:user => @user, :action => 'api')
42 42 

  		




  43
  43
  
    
    get "/news.xml?key=#{@token.value}"

  		




  44
  
  
    
    assert_response :unauthorized

  		




  
  44
  
    
    assert_response :forbidden

  		




  45
  45
  
    
    assert_equal User.anonymous, User.current

  		




  46
  46
  
    

  		




  47
  47
  
    
    get "/news.json?key=#{@token.value}"

  		




  48
  
  
    
    assert_response :unauthorized

  		




  
  48
  
    
    assert_response :forbidden

  		




  49
  49
  
    
    assert_equal User.anonymous, User.current

  		




  50
  50
  
    
  end

  		




  51
  51
  
    

  		




  ......




  55
  55
  
    
    end

  		




  56
  56
  
    

  		




  57
  57
  
    
    get "/news.xml", :headers => credentials(@user.login, 'my_password')

  		




  58
  
  
    
    assert_response :unauthorized

  		




  
  58
  
    
    assert_response :forbidden

  		




  59
  59
  
    
    assert_equal User.anonymous, User.current

  		




  60
  60
  
    

  		




  61
  61
  
    
    get "/news.json", :headers => credentials(@user.login, 'my_password')

  		




  62
  
  
    
    assert_response :unauthorized

  		




  
  62
  
    
    assert_response :forbidden

  		




  63
  63
  
    
    assert_equal User.anonymous, User.current

  		




  64
  64
  
    
  end

  		




  65
  65
  
    

  		




  ......




  68
  68
  
    
    @token = Token.create!(:user => @user, :action => 'api')

  		




  69
  69
  
    

  		




  70
  70
  
    
    get "/news.xml", :headers => credentials(@token.value, 'X')

  		




  71
  
  
    
    assert_response :unauthorized

  		




  
  71
  
    
    assert_response :forbidden

  		




  72
  72
  
    
    assert_equal User.anonymous, User.current

  		




  73
  73
  
    

  		




  74
  74
  
    
    get "/news.json", :headers => credentials(@token.value, 'X')

  		




  75
  
  
    
    assert_response :unauthorized

  		




  
  75
  
    
    assert_response :forbidden

  		




  76
  76
  
    
    assert_equal User.anonymous, User.current

  		




  77
  77
  
    
  end

  		




  78
  78
  
    
end

  		















  (2-2/2)