Defect #28967

could the RESTAPI be used in the plugin with auth again?

Added by jiangshan song 3 months ago. Updated about 1 month ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:

Description

I wrote a plugin.
when I use $.ajax to access some rest api in the plugin, A login dialog is shown even if I have already logged in with redmine web.
could their a way for the RESTAPI to use the current user auth?

History

#1 Updated by jiangshan song 3 months ago

without

#2 Updated by Stephane Evr about 1 month ago

I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).

I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?

#3 Updated by Stephane Evr about 1 month ago

Stephane Evr wrote:

I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).

I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?

In my opinion, as long as the Ajax request contains Session Token + CSRF Token, there should not be any problem, no? And if no CSRF token is present, fallback to API auth mechanism.

Also available in: Atom PDF