30086-http-status-code-403.patch

Yuichi HARADA, 2018-12-10 03:18

Download (3.17 KB)

View differences:

app/controllers/application_controller.rb
229 229
        format.any(:atom, :pdf, :csv) {
230 230
          redirect_to signin_path(:back_url => url)
231 231
        }
232
        format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
232
        format.api  {
233
          if Setting.rest_api_enabled? && accept_api_auth?
234
            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
235
          else
236
            head(:forbidden)
237
          end
238
        }
233 239
        format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
234
        format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
235 240
        format.any  { head :unauthorized }
236 241
      end
237 242
      return false
test/integration/api_test/disabled_rest_api_test.rb
41 41
    @token = Token.create!(:user => @user, :action => 'api')
42 42

  
43 43
    get "/news.xml?key=#{@token.value}"
44
    assert_response :unauthorized
44
    assert_response :forbidden
45 45
    assert_equal User.anonymous, User.current
46 46

  
47 47
    get "/news.json?key=#{@token.value}"
48
    assert_response :unauthorized
48
    assert_response :forbidden
49 49
    assert_equal User.anonymous, User.current
50 50
  end
51 51

  
......
55 55
    end
56 56

  
57 57
    get "/news.xml", :headers => credentials(@user.login, 'my_password')
58
    assert_response :unauthorized
58
    assert_response :forbidden
59 59
    assert_equal User.anonymous, User.current
60 60

  
61 61
    get "/news.json", :headers => credentials(@user.login, 'my_password')
62
    assert_response :unauthorized
62
    assert_response :forbidden
63
    assert_equal User.anonymous, User.current
64
  end
65

  
66
  def test_with_valid_username_and_wrong_password_http_authentication
67
    @user = User.generate! do |user|
68
      user.password = 'my_password'
69
    end
70

  
71
    get '/news.xml', :headers => credentials(@user.login, 'wrong_password')
72
    assert_response :forbidden
73
    assert_equal User.anonymous, User.current
74

  
75
    get "/news.json", :headers => credentials(@user.login, 'wrong_password')
76
    assert_response :forbidden
63 77
    assert_equal User.anonymous, User.current
64 78
  end
65 79

  
......
68 82
    @token = Token.create!(:user => @user, :action => 'api')
69 83

  
70 84
    get "/news.xml", :headers => credentials(@token.value, 'X')
71
    assert_response :unauthorized
85
    assert_response :forbidden
72 86
    assert_equal User.anonymous, User.current
73 87

  
74 88
    get "/news.json", :headers => credentials(@token.value, 'X')
75
    assert_response :unauthorized
89
    assert_response :forbidden
76 90
    assert_equal User.anonymous, User.current
77 91
  end
78 92
end