##// END OF EJS Templates
jro_apps » redmine
RSS
Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755)....
Jean-Philippe Lang -
r10397:5344a35f723b
parent child
Show More
Side by Side Unified
Context file:
r10397:5344a35f723b Loading diff...:
Show file before | Show file after | Hide comments
@@ -110,6 +110,16 class ApplicationController < ActionController::Base
110 user = User.try_to_login(username, password) || User.find_by_api_key(username)
110 user = User.try_to_login(username, password) || User.find_by_api_key(username)
111 end
111 end
112 end
112 end
113 # Switch user if requested by an admin user
114 if user && user.admin? && (username = api_switch_user_from_request)
115 su = User.find_by_login(username)
116 if su && su.active?
117 logger.info(" User switched by: #{user.login} (id=#{user.id})") if logger
118 user = su
119 else
120 render_error :message => 'Invalid X-Redmine-Switch-User header', :status => 412
121 end
122 end
113 end
123 end
114 user
124 user
115 end
125 end
@@ -508,6 +518,11 class ApplicationController < ActionController::Base
508 end
518 end
509 end
519 end
510
520
521 # Returns the API 'switch user' value if present
522 def api_switch_user_from_request
523 request.headers["X-Redmine-Switch-User"].to_s.presence
524 end
525
511 # Renders a warning flash if obj has unsaved attachments
526 # Renders a warning flash if obj has unsaved attachments
512 def render_attachment_warning_if_needed(obj)
527 def render_attachment_warning_if_needed(obj)
513 flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?
528 flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?
Show file before | Show file after | Hide comments
@@ -20,6 +20,14 require File.expand_path('../../../test_helper', __FILE__)
20 class ApiTest::AuthenticationTest < ActionController::IntegrationTest
20 class ApiTest::AuthenticationTest < ActionController::IntegrationTest
21 fixtures :users
21 fixtures :users
22
22
23 def setup
24 Setting.rest_api_enabled = '1'
25 end
26
27 def teardown
28 Setting.rest_api_enabled = '0'
29 end
30
23 def test_api_request_should_not_use_user_session
31 def test_api_request_should_not_use_user_session
24 log_user('jsmith', 'jsmith')
32 log_user('jsmith', 'jsmith')
25
33
@@ -29,4 +37,37 class ApiTest::AuthenticationTest < ActionController::IntegrationTest
29 get '/users/current.json'
37 get '/users/current.json'
30 assert_response 401
38 assert_response 401
31 end
39 end
40
41 def test_api_should_accept_switch_user_header_for_admin_user
42 user = User.find(1)
43 su = User.find(4)
44
45 get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
46 assert_response :success
47 assert_equal su, assigns(:user)
48 assert_equal su, User.current
49 end
50
51 def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user
52 get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'}
53 assert_response 412
54 end
55
56 def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user
57 user = User.find(5)
58 assert user.locked?
59
60 get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login}
61 assert_response 412
62 end
63
64 def test_api_should_not_accept_switch_user_header_for_non_admin_user
65 user = User.find(2)
66 su = User.find(4)
67
68 get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login}
69 assert_response :success
70 assert_equal user, assigns(:user)
71 assert_equal user, User.current
72 end
32 end
73 end
General Comments 0
You need to be logged in to leave comments. Login now