| @@ -119,7 +119,7 class ApplicationController < ActionController::Base | |||||
| 119 | if (key = api_key_from_request) |
|
119 | if (key = api_key_from_request) | |
| 120 | # Use API key |
|
120 | # Use API key | |
| 121 | user = User.find_by_api_key(key) |
|
121 | user = User.find_by_api_key(key) | |
| 122 | else |
|
122 | elsif request.authorization.to_s =~ /\ABasic /i | |
| 123 | # HTTP Basic, either username/password or API key/random |
|
123 | # HTTP Basic, either username/password or API key/random | |
| 124 | authenticate_with_http_basic do |username, password| |
|
124 | authenticate_with_http_basic do |username, password| | |
| 125 | user = User.try_to_login(username, password) || User.find_by_api_key(username) |
|
125 | user = User.try_to_login(username, password) || User.find_by_api_key(username) | |
| @@ -384,8 +384,8 class User < Principal | |||||
| 384 | # Find a user account by matching the exact login and then a case-insensitive |
|
384 | # Find a user account by matching the exact login and then a case-insensitive | |
| 385 | # version. Exact matches will be given priority. |
|
385 | # version. Exact matches will be given priority. | |
| 386 | def self.find_by_login(login) |
|
386 | def self.find_by_login(login) | |
|
|
387 | login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s) | |||
| 387 | if login.present? |
|
388 | if login.present? | |
| 388 | login = login.to_s |
|
|||
| 389 | # First look for an exact match |
|
389 | # First look for an exact match | |
| 390 | user = where(:login => login).detect {|u| u.login == login} |
|
390 | user = where(:login => login).detect {|u| u.login == login} | |
| 391 | unless user |
|
391 | unless user | |
| @@ -28,6 +28,29 class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base | |||||
| 28 | Setting.rest_api_enabled = '0' |
|
28 | Setting.rest_api_enabled = '0' | |
| 29 | end |
|
29 | end | |
| 30 |
|
30 | |||
|
|
31 | def test_api_should_trigger_basic_http_auth_with_basic_authorization_header | |||
|
|
32 | ApplicationController.any_instance.expects(:authenticate_with_http_basic).once | |||
|
|
33 | get '/users/current.xml', {}, credentials('jsmith') | |||
|
|
34 | assert_response 401 | |||
|
|
35 | end | |||
|
|
36 | ||||
|
|
37 | def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header | |||
|
|
38 | ApplicationController.any_instance.expects(:authenticate_with_http_basic).never | |||
|
|
39 | get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar' | |||
|
|
40 | assert_response 401 | |||
|
|
41 | end | |||
|
|
42 | ||||
|
|
43 | def test_invalid_utf8_credentials_should_not_trigger_an_error | |||
|
|
44 | invalid_utf8 = "\x82" | |||
|
|
45 | if invalid_utf8.respond_to?(:force_encoding) | |||
|
|
46 | invalid_utf8.force_encoding('UTF-8') | |||
|
|
47 | assert !invalid_utf8.valid_encoding? | |||
|
|
48 | end | |||
|
|
49 | assert_nothing_raised do | |||
|
|
50 | get '/users/current.xml', {}, credentials(invalid_utf8, "foo") | |||
|
|
51 | end | |||
|
|
52 | end | |||
|
|
53 | ||||
| 31 | def test_api_request_should_not_use_user_session |
|
54 | def test_api_request_should_not_use_user_session | |
| 32 | log_user('jsmith', 'jsmith') |
|
55 | log_user('jsmith', 'jsmith') | |
| 33 |
|
56 | |||
General Comments 0
You need to be logged in to leave comments.
Login now