-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snippets not working with $g_login_method = HTTP_AUTH #73
Comments
Bonjour Gérald, Did you actually define any Global and/or User-specific Snippets ? The selection list will only be shown for the configured fields, when there is at least one Snippet available to the current user. It could also be a problem with the AJAX not being able to retrieve Snippets from the plugin's REST API back-end, but in this case you should see something in the browser's console log. |
I added some explanation and screenshot to the README file. |
hi Gerald |
OK, I get an error in the console : 403 API token not found I never used webservices in mantis. I did some conf but still have the issue : same 403 error |
This is really weird. It should not be needed to define an API token here at all, because for "internal" REST API calls such as the one used to retrieve the Snippets, users are normally authenticated automatically, using their MantisBT session cookie. This is the code that handles it. So apparently the request is made with an Can you provide details about the failing XHR request ? |
Which details do you exactly need? coul it be related to the auth method I use? : HTTP_AUTH |
From browser console, you should be able to export the request as a .HAR file, that would be fine.
Maybe, I don't really know as I never actually used Mantis with that authentication method, and TBH I have little knowledge of it. Reading https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication, I see that it uses the same Can you maybe make a test with another authentication method, to see what happens ? |
hum I prefer not to link a har file with all urls... My request :
The response :
I would like to use the default authentication in Mantis (login/password from database) for years, but as it is still using MD5, I can't....so I rely on HTTP_AUTH which is the only method I can implement, but I have to modify source of mantis whenever I install a new version I added a note in the issu for the use of bcrypt Thank you for your help Gérald |
Yes I know, this is pretty bad and has been a long-standing issue, but it's highly complex to fix it properly and sadly I never find the time to do it... Sorry 😞
So this is as I suspected, and most likely the root cause, because the REST API just checks for existence of Authorization header to determine if it should process the request as an "internal" API call (authenticated via Mantis cookie), and does not verify the actual contents, so this is interpreted as a regular API token but it's not. This could be considered a bug in MantisBT core actually. Need to think about it. @vboctor your feedback on this would be appreciated. I'm afraid there is no immediate and easy solution to this. Some ideas to play with:
Not having a working setup to reproduce this locally, it is a bit difficult for me to test this properly, because I can only "fake" things by submitting manually constructed requests. |
Yes I know, this is pretty bad and has been a long-standing issue for years, but it's highly complex to fix it properly and sadly I never find the time to do it... Sorry 😞
So this is as I suspected, and most likely the root cause, because the REST API just checks for existence of Authorization header to determine if it should process the request as an "internal" API call (authenticated via Mantis cookie), and does not verify the actual contents, so this is interpreted as a regular API token but it's not. This could possibly be considered a bug in MantisBT core actually. Need to think about it. @vboctor your feedback on this would be appreciated. I'm afraid there is no immediate and easy solution to this. Some ideas to play with:
Not having a working setup to reproduce this locally, makes it is a bit difficult for me to test this properly, as I can only "fake" things by submitting manually constructed requests. |
Similar problem https://mantisbt.org/bugs/view.php?id=25362 |
I succesfully installed Snippets on V2.26.0. I can configure it
but didn't find how to use them in the create or update forms....I don't see any new form field...I don't get errors in the log...
can you post a screenshot of the integration of snippet in the create or update form?
Thank you for your help
Gérald
The text was updated successfully, but these errors were encountered: