30086-http-status-code-403-v2.patch

Go MAEDA, 2019-02-25 13:33

Download (2.7 KB)

View differences:

app/controllers/application_controller.rb
229 229
        format.any(:atom, :pdf, :csv) {
230 230
          redirect_to signin_path(:back_url => url)
231 231
        }
232
        format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
232
        format.api  {
233
          if Setting.rest_api_enabled? && accept_api_auth?
234
            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
235
          else
236
            head(:forbidden)
237
          end
238
        }
233 239
        format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
234
        format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
235 240
        format.any  { head :unauthorized }
236 241
      end
237 242
      return false
test/integration/api_test/disabled_rest_api_test.rb
41 41
    @token = Token.create!(:user => @user, :action => 'api')
42 42

  
43 43
    get "/news.xml?key=#{@token.value}"
44
    assert_response :unauthorized
44
    assert_response :forbidden
45 45
    assert_equal User.anonymous, User.current
46 46

  
47 47
    get "/news.json?key=#{@token.value}"
48
    assert_response :unauthorized
48
    assert_response :forbidden
49 49
    assert_equal User.anonymous, User.current
50 50
  end
51 51

  
......
55 55
    end
56 56

  
57 57
    get "/news.xml", :headers => credentials(@user.login, 'my_password')
58
    assert_response :unauthorized
58
    assert_response :forbidden
59 59
    assert_equal User.anonymous, User.current
60 60

  
61 61
    get "/news.json", :headers => credentials(@user.login, 'my_password')
62
    assert_response :unauthorized
62
    assert_response :forbidden
63 63
    assert_equal User.anonymous, User.current
64 64
  end
65 65

  
......
68 68
    @token = Token.create!(:user => @user, :action => 'api')
69 69

  
70 70
    get "/news.xml", :headers => credentials(@token.value, 'X')
71
    assert_response :unauthorized
71
    assert_response :forbidden
72 72
    assert_equal User.anonymous, User.current
73 73

  
74 74
    get "/news.json", :headers => credentials(@token.value, 'X')
75
    assert_response :unauthorized
75
    assert_response :forbidden
76 76
    assert_equal User.anonymous, User.current
77 77
  end
78 78
end