Bug 1139257: allow cookie+api-token GET REST requests

r=dkl,a=glob
bugzilla · Mar 9, 2015 · 243d66a · 243d66a
1 parent 4a900ca
commit 243d66a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 31 deletions.
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
@@ -54,15 +54,25 @@ sub get_login_info {
 
         # If the call is for a web service, and an api token is provided, check
         # it is valid.
-        if (i_am_webservice() && Bugzilla->input_params->{Bugzilla_api_token}) {
-            my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
-            my ($token_user_id, undef, undef, $token_type)
-                = Bugzilla::Token::GetTokenData($api_token);
-            if (!defined $token_type
-                || $token_type ne 'api_token'
-                || $user_id != $token_user_id)
+        if (i_am_webservice()) {
+            if ($login_cookie
+                && Bugzilla->usage_mode == USAGE_MODE_REST
+                && !exists Bugzilla->input_params->{Bugzilla_api_token})
             {
-                ThrowUserError('auth_invalid_token', { token => $api_token });
+                # REST requires an api-token when using cookie authentication
+                # fall back to a non-authenticated request
+                $login_cookie = '';
+
+            } elsif (Bugzilla->input_params->{Bugzilla_api_token}) {
+                my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
+                my ($token_user_id, undef, undef, $token_type)
+                    = Bugzilla::Token::GetTokenData($api_token);
+                if (!defined $token_type
+                    || $token_type ne 'api_token'
+                    || $user_id != $token_user_id)
+                {
+                    ThrowUserError('auth_invalid_token', { token => $api_token });
+                }
             }
         }
     }

diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
@@ -167,29 +167,6 @@ sub response {
 
 sub handle_login {
     my $self = shift;
-
-    # If we're being called using GET, we don't allow cookie-based or Env
-    # login, because GET requests can be done cross-domain, and we don't
-    # want private data showing up on another site unless the user
-    # explicitly gives that site their username and password. (This is
-    # particularly important for JSONP, which would allow a remote site
-    # to use private data without the user's knowledge, unless we had this
-    # protection in place.) We do allow this for GET /login as we need to
-    # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
-    # can also use for Bugzilla_token support. This is OK as it requires
-    # a login and password to be supplied and will fail if they are not
-    # valid for the user.
-    if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
-        && !($self->bz_class_name eq 'Bugzilla::WebService::User'
-            && $self->bz_method_name eq 'login'))
-    {
-        # XXX There's no particularly good way for us to get a parameter
-        # to Bugzilla->login at this point, so we pass this information
-        # around using request_cache, which is a bit of a hack. The
-        # implementation of it is in Bugzilla::Auth::Login::Stack.
-        Bugzilla->request_cache->{'auth_no_automatic_login'} = 1;
-    }
-
     my $class = $self->bz_class_name;
     my $method = $self->bz_method_name;
     my $full_method = $class . "." . $method;