Defect #9099
closed
REST API for USERS doesn't ask for authentication
0%
Description
I am using the Java API for Redmine which is using the Redmine REST API to communicate with Redmine and I am not able to retrieve user data because of the following problem:
In a Redmine environment with NO public projects, when making a user REST request like
GET /users/4.xml
it returns a 404 immediately instead of asking for authentication. When for example issues are requested, it works like this:
- > GET /issues/1.xml
- < 401 Unauthorized
- > again GET /issues/1.xml with authentication information
- < 200 OK with the requested data
I am using Redmine 1.2.1 and this is reproduceable with mod_passenger on Apache httpd2 and Webbrick, so I guess it is a small glitch in Redmine.
It only happens on Redmine installations with no public projects, as soon as there is one public project, the request for users is working the same way as the one for issues.
Unfortunately I am completely unfamiliar with Ruby, Rails and Redmine, could you give some advice on how to solve this problem?
Updated by Etienne Massip over 13 years ago
- Status changed from New to Closed
- Resolution set to Invalid
REST is not an interactive process, so it should never ask user anything, including authentication. The behavior you're describing looks correct to me.
Updated by Christian Migowski over 13 years ago
- Status changed from Closed to Reopened
So, why is requesting issues via REST, to use you wording, an "interactive process", but requesting users isn't?
So either the implementation of issue REST (projects works the same) or user REST is wrong.
Updated by Christian Migowski over 13 years ago
thanks for your reconsideration!
Like I said, I am a Ruby/Rails/Redmine newbie (otherwise somewhat experienced programmer), but could you point me to the right source file where the differentiation between issues REST which is triggering the basic authentication and user REST which isn't triggering authentication is made?
I would like to try to fix it by myself, because this breaks the Redmine Java API for users which blocks me :(
Updated by Etienne Massip over 13 years ago
- Target version set to Candidate for next minor release
Ok, this is a bug, this 404 should be a 401.
Will have a look closer later and give you leads.
FYI, access control code is located in ApplicationController class (source:/trunk/app/controllers/application_controller.rb) and is called depending upon before_filters in other controllers (like in UsersController).
Updated by Christian Migowski over 13 years ago
Thank you so much for your help!
I was able to fix it / produce the expected behaviour by adding a new line to source:/trunk/app/controllers/users_controller.rb after line 21:
before_filter :authorize_global, :except => [:index]But then, I really do not know what I was doing there, so maybe there is a better/cleaner solution to this.
Thanks again!
Updated by Christian Migowski over 13 years ago
oh... now I noticed that this works only for Administrator users :( So disregard my previous update, this is not a solution at all :(
Updated by Jan Niggemann (redmine.org team member) almost 12 years ago
- Status changed from Reopened to Needs feedback
Is this issue resolved and can it be closed?
Updated by Jan Niggemann (redmine.org team member) over 9 years ago
- Status changed from Needs feedback to Closed
- Resolution set to No feedback
Updated by Go MAEDA about 9 years ago
- Target version deleted (
Candidate for next minor release)