Project

General

Profile

Feature #11755 » api-auth-switch-user-v2.patch

Vincent Caron, 2012-10-09 23:41

View differences:

app/controllers/application_controller.rb (working copy)
66 66
      # RSS key authentication does not start a session
67 67
      User.find_by_rss_key(params[:key])
68 68
    elsif Setting.rest_api_enabled? && accept_api_auth?
69
      user = nil
69 70
      if (key = api_key_from_request)
70 71
        # Use API key
71
        User.find_by_api_key(key)
72
        user = User.find_by_api_key(key)
72 73
      else
73 74
        # HTTP Basic, either username/password or API key/random
74 75
        authenticate_with_http_basic do |username, password|
75
          User.try_to_login(username, password) || User.find_by_api_key(username)
76
          user = User.try_to_login(username, password) || User.find_by_api_key(username)
76 77
        end
77 78
      end
79
      # If authenticated user is 'admin', she may use the 'switch user' feature
80
      if (user && user.admin? &&  (su = api_switch_user_from_request))
81
        # Replace user even if 'su' auth fails, don't fallback on the original admin user
82
        user = User.find_by_login(su)
83
        if not user
84
          render_error({:message => :notice_account_invalid_creditentials, :status => 412})
85
        end
86
      end
87
      user
78 88
    end
79 89
  end
80 90

  
......
451 461
    end
452 462
  end
453 463

  
464
  # Returns the API 'switch user' feature value if present
465
  def api_switch_user_from_request
466
    if request.headers["X-Redmine-Switch-User"].present?
467
      request.headers["X-Redmine-Switch-User"].to_s
468
    end
469
  end
470

  
454 471
  # Renders a warning flash if obj has unsaved attachments
455 472
  def render_attachment_warning_if_needed(obj)
456 473
    flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?
(2-2/2)