Defect #28967
open
could the RESTAPI be used in the plugin with auth again?
0%
Description
I wrote a plugin.
when I use $.ajax to access some rest api in the plugin, A login dialog is shown even if I have already logged in with redmine web.
could their a way for the RESTAPI to use the current user auth?
Updated by
Updated by Stephane Evr over 6 years ago
I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).
I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?
Updated by Stephane Evr over 6 years ago
Stephane Evr wrote:
I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).
I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?
In my opinion, as long as the Ajax request contains Session Token + CSRF Token, there should not be any problem, no? And if no CSRF token is present, fallback to API auth mechanism.