summaryrefslogtreecommitdiffstats
path: root/Bugzilla/WebService
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-03-09 07:22:42 +0100
committerByron Jones <glob@mozilla.com>2015-03-09 07:22:42 +0100
commit66a30b69f73012e64cfe1f78710cf095ddab2a3d (patch)
tree9d4ea8c968185852bdab5592746f0d68cc826de1 /Bugzilla/WebService
parentcf463a5e14da2b1c58686ff6b63e0e419ad644fe (diff)
downloadbugzilla-66a30b69f73012e64cfe1f78710cf095ddab2a3d.tar.gz
bugzilla-66a30b69f73012e64cfe1f78710cf095ddab2a3d.tar.xz
Bug 1140966: backport bug 1139257 to bmo (allow cookie+api-token GET REST requests)
Diffstat (limited to 'Bugzilla/WebService')
-rw-r--r--Bugzilla/WebService/Server/REST.pm23
1 files changed, 0 insertions, 23 deletions
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index a0e1d7150..5f1a6a321 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -177,29 +177,6 @@ sub response {
sub handle_login {
my $self = shift;
-
- # If we're being called using GET, we don't allow cookie-based or Env
- # login, because GET requests can be done cross-domain, and we don't
- # want private data showing up on another site unless the user
- # explicitly gives that site their username and password. (This is
- # particularly important for JSONP, which would allow a remote site
- # to use private data without the user's knowledge, unless we had this
- # protection in place.) We do allow this for GET /login as we need to
- # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
- # can also use for Bugzilla_token support. This is OK as it requires
- # a login and password to be supplied and will fail if they are not
- # valid for the user.
- if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
- && !($self->bz_class_name eq 'Bugzilla::WebService::User'
- && $self->bz_method_name eq 'login'))
- {
- # XXX There's no particularly good way for us to get a parameter
- # to Bugzilla->login at this point, so we pass this information
- # around using request_cache, which is a bit of a hack. The
- # implementation of it is in Bugzilla::Auth::Login::Stack.
- Bugzilla->request_cache->{'auth_no_automatic_login'} = 1;
- }
-
my $class = $self->bz_class_name;
my $method = $self->bz_method_name;
my $full_method = $class . "." . $method;