REST API for USERS doesn't ask for authentication
|Target version:||Candidate for next minor release|
I am using the Java API for Redmine which is using the Redmine REST API to communicate with Redmine and I am not able to retrieve user data because of the following problem:
In a Redmine environment with NO public projects, when making a user REST request like
it returns a 404 immediately instead of asking for authentication. When for example issues are requested, it works like this:
- > GET /issues/1.xml
- < 401 Unauthorized
- > again GET /issues/1.xml with authentication information
- < 200 OK with the requested data
I am using Redmine 1.2.1 and this is reproduceable with mod_passenger on Apache httpd2 and Webbrick, so I guess it is a small glitch in Redmine.
It only happens on Redmine installations with no public projects, as soon as there is one public project, the request for users is working the same way as the one for issues.
Unfortunately I am completely unfamiliar with Ruby, Rails and Redmine, could you give some advice on how to solve this problem?
#4 Updated by Christian Migowski almost 2 years ago
thanks for your reconsideration!
Like I said, I am a Ruby/Rails/Redmine newbie (otherwise somewhat experienced programmer), but could you point me to the right source file where the differentiation between issues REST which is triggering the basic authentication and user REST which isn't triggering authentication is made?
I would like to try to fix it by myself, because this breaks the Redmine Java API for users which blocks me :(
#5 Updated by Etienne Massip almost 2 years ago
- Target version set to Candidate for next minor release
Ok, this is a bug, this 404 should be a 401.
Will have a look closer later and give you leads.
FYI, access control code is located in
ApplicationController class (source:/trunk/app/controllers/application_controller.rb) and is called depending upon
before_filters in other controllers (like in
#6 Updated by Christian Migowski almost 2 years ago
Thank you so much for your help!
I was able to fix it / produce the expected behaviour by adding a new line to source:/trunk/app/controllers/users_controller.rb after line 21:
before_filter :authorize_global, :except => [:index]
But then, I really do not know what I was doing there, so maybe there is a better/cleaner solution to this.