REST GET / endpoint not working

[dregad]

Following the merge of #66, I tried to use the new endpoints and noticed that GET / is not working (this is right after successfully creating both a global and a personal Snippet, using the POST / endpoint).

• With global=1 I get HTTP 200 but it's actually a Mantis Access Denied error page

  GET http://localhost/mantis/api/rest/plugins/Snippets/?global=1
  
  HTTP/1.1 200 OK
  Date: Sun, 10 Sep 2023 10:09:36 GMT
  Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 PHP/8.1.22
  X-Powered-By: PHP/8.1.22
  Cache-Control: private, max-age=10800
  Last-Modified: Sun, 10 Sep 2023 10:02:40 GMT
  Content-Encoding: gzip
  Vary: Accept-Encoding
  Content-Length: 184
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=UTF-8
  
  <p class="center">Access Denied.</p><p class="center"><a class="btn btn-primary btn-white btn-round "
                                                           href="login_page.php?return=%2Fmantis%2Fapi%2Frest%2Findex.php%3Fglobal%3D1">Login</a>
  </p><p class="center"><a class="btn btn-primary btn-white btn-round " href="/mantis/my_view_page.php">Proceed</a></p>
  

• With global=0 I get HTTP 200 and an empty list, but there should be one Snippet; notice the X-Mantis-Username: anonymous header, which should actually be the administrator account owning the API Token I used for Authorization.

  GET http://localhost/mantis/api/rest/plugins/Snippets/?global=0
  
  HTTP/1.1 200 OK
  Date: Sun, 10 Sep 2023 10:07:25 GMT
  Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 PHP/8.1.22
  X-Powered-By: PHP/8.1.22
  Cache-Control: no-store, no-cache, must-revalidate, max-age=0
  Last-Modified: Sun, 10 Sep 2023 10:02:40 GMT
  X-Mantis-Username: anonymous
  X-Mantis-LoginMethod: cookie
  X-Mantis-Version: 2.26.0-dev
  Content-Length: 15
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: application/json
  
  {
    "snippets": []
  }
  

[vboctor]

@dregad

• I fixed the access html / 2xx in case of access check error. I'll open an issue for making sure methods like ensure* and access_denied() are REST API friendly.
• I am not able to reproduce the second issue with anonymous. Authentication is handled by core, make sure API key is passed in your call.

See PR #69

[vboctor]

I have also seen some local servers redirect http to https and lose authentication headers in the process.

[dregad]

Thanks for the fix. I confirm that with #69 merged,

With global=1 I get HTTP 200 but it's actually a Mantis Access Denied error page

is fixed

With global=0 I get HTTP 200 and an empty list, but there should be one Snippet

is working fine on this computer (Windows 10 with ubuntu running on WSL) but it's not the same one I used when I got the issue last week, so I'll double-check on the other box (MacOS) later to make sure.

[dregad]

With global=0 I get HTTP 200 and an empty list, but there should be one Snippet

is no longer reproducible on my Mac (even with 8d9a4c0) so it must have been an environment-specific fluke.