| @@ -110,6 +110,16 class ApplicationController < ActionController::Base | |||
|
|
110 | 110 | user = User.try_to_login(username, password) || User.find_by_api_key(username) |
|
|
111 | 111 | end |
|
|
112 | 112 | end |
|
|
113 | # Switch user if requested by an admin user | |
|
|
114 | if user && user.admin? && (username = api_switch_user_from_request) | |
|
|
115 | su = User.find_by_login(username) | |
|
|
116 | if su && su.active? | |
|
|
117 | logger.info(" User switched by: #{user.login} (id=#{user.id})") if logger | |
|
|
118 | user = su | |
|
|
119 | else | |
|
|
120 | render_error :message => 'Invalid X-Redmine-Switch-User header', :status => 412 | |
|
|
121 | end | |
|
|
122 | end | |
|
|
113 | 123 | end |
|
|
114 | 124 | user |
|
|
115 | 125 | end |
| @@ -508,6 +518,11 class ApplicationController < ActionController::Base | |||
|
|
508 | 518 | end |
|
|
509 | 519 | end |
|
|
510 | 520 | |
|
|
521 | # Returns the API 'switch user' value if present | |
|
|
522 | def api_switch_user_from_request | |
|
|
523 | request.headers["X-Redmine-Switch-User"].to_s.presence | |
|
|
524 | end | |
|
|
525 | ||
|
|
511 | 526 | # Renders a warning flash if obj has unsaved attachments |
|
|
512 | 527 | def render_attachment_warning_if_needed(obj) |
|
|
513 | 528 | flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present? |
| @@ -20,6 +20,14 require File.expand_path('../../../test_helper', __FILE__) | |||
|
|
20 | 20 | class ApiTest::AuthenticationTest < ActionController::IntegrationTest |
|
|
21 | 21 | fixtures :users |
|
|
22 | 22 | |
|
|
23 | def setup | |
|
|
24 | Setting.rest_api_enabled = '1' | |
|
|
25 | end | |
|
|
26 | ||
|
|
27 | def teardown | |
|
|
28 | Setting.rest_api_enabled = '0' | |
|
|
29 | end | |
|
|
30 | ||
|
|
23 | 31 | def test_api_request_should_not_use_user_session |
|
|
24 | 32 | log_user('jsmith', 'jsmith') |
|
|
25 | 33 | |
| @@ -29,4 +37,37 class ApiTest::AuthenticationTest < ActionController::IntegrationTest | |||
|
|
29 | 37 | get '/users/current.json' |
|
|
30 | 38 | assert_response 401 |
|
|
31 | 39 | end |
|
|
40 | ||
|
|
41 | def test_api_should_accept_switch_user_header_for_admin_user | |
|
|
42 | user = User.find(1) | |
|
|
43 | su = User.find(4) | |
|
|
44 | ||
|
|
45 | get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login} | |
|
|
46 | assert_response :success | |
|
|
47 | assert_equal su, assigns(:user) | |
|
|
48 | assert_equal su, User.current | |
|
|
49 | end | |
|
|
50 | ||
|
|
51 | def test_api_should_respond_with_412_when_trying_to_switch_to_a_invalid_user | |
|
|
52 | get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => 'foobar'} | |
|
|
53 | assert_response 412 | |
|
|
54 | end | |
|
|
55 | ||
|
|
56 | def test_api_should_respond_with_412_when_trying_to_switch_to_a_locked_user | |
|
|
57 | user = User.find(5) | |
|
|
58 | assert user.locked? | |
|
|
59 | ||
|
|
60 | get '/users/current', {}, {'X-Redmine-API-Key' => User.find(1).api_key, 'X-Redmine-Switch-User' => user.login} | |
|
|
61 | assert_response 412 | |
|
|
62 | end | |
|
|
63 | ||
|
|
64 | def test_api_should_not_accept_switch_user_header_for_non_admin_user | |
|
|
65 | user = User.find(2) | |
|
|
66 | su = User.find(4) | |
|
|
67 | ||
|
|
68 | get '/users/current', {}, {'X-Redmine-API-Key' => user.api_key, 'X-Redmine-Switch-User' => su.login} | |
|
|
69 | assert_response :success | |
|
|
70 | assert_equal user, assigns(:user) | |
|
|
71 | assert_equal user, User.current | |
|
|
72 | end | |
|
|
32 | 73 | end |
General Comments 0
You need to be logged in to leave comments.
Login now