Bug 1139257: allow cookie+api-token GET REST requests

r=dkl,a=glob

1 files changed, 18 insertions, 8 deletions

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index c09f08d24..3139e127b 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -54,15 +54,25 @@ sub get_login_info {
 
         # If the call is for a web service, and an api token is provided, check
         # it is valid.
-        if (i_am_webservice() && Bugzilla->input_params->{Bugzilla_api_token}) {
-            my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
-            my ($token_user_id, undef, undef, $token_type)
-                = Bugzilla::Token::GetTokenData($api_token);
-            if (!defined $token_type
-                || $token_type ne 'api_token'
-                || $user_id != $token_user_id)
+        if (i_am_webservice()) {
+            if ($login_cookie
+                && Bugzilla->usage_mode == USAGE_MODE_REST
+                && !exists Bugzilla->input_params->{Bugzilla_api_token})
             {
-                ThrowUserError('auth_invalid_token', { token => $api_token });
+                # REST requires an api-token when using cookie authentication
+                # fall back to a non-authenticated request
+                $login_cookie = '';
+
+            } elsif (Bugzilla->input_params->{Bugzilla_api_token}) {
+                my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
+                my ($token_user_id, undef, undef, $token_type)
+                    = Bugzilla::Token::GetTokenData($api_token);
+                if (!defined $token_type
+                    || $token_type ne 'api_token'
+                    || $user_id != $token_user_id)
+                {
+                    ThrowUserError('auth_invalid_token', { token => $api_token });
+                }
             }
         }
     }