Defect #28967
could the RESTAPI be used in the plugin with auth again?
| Status: | New | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | REST API | |||
| Target version: | - | |||
| Resolution: | Affected version: |
Description
I wrote a plugin.
when I use $.ajax to access some rest api in the plugin, A login dialog is shown even if I have already logged in with redmine web.
could their a way for the RESTAPI to use the current user auth?
History
#1
Updated by jiangshan song 4 months ago
without
#2
Updated by Stephane Evr 4 months ago
I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).
I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?
#3
Updated by Stephane Evr 4 months ago
Stephane Evr wrote:
I have the same issue, where basically any ajax call from a logged in user asking for json or xml format requires a separate authentication (e.g. /issues.json), but any other format does not (e.g. /issues).
I can see this is due to this commit: https://github.com/redmine/redmine/commit/ed165f671620409c39830a7d8326d37c27ea2fc1
Is there a security reason to that?
In my opinion, as long as the Ajax request contains Session Token + CSRF Token, there should not be any problem, no? And if no CSRF token is present, fallback to API auth mechanism.