Bug 1139257: allow cookie+api-token GET REST requests

r=dkl,a=glob

1 files changed, 0 insertions, 23 deletions

diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index b3d35595f..940045b26 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -167,29 +167,6 @@ sub response {
 
 sub handle_login {
     my $self = shift;
-
-    # If we're being called using GET, we don't allow cookie-based or Env
-    # login, because GET requests can be done cross-domain, and we don't
-    # want private data showing up on another site unless the user
-    # explicitly gives that site their username and password. (This is
-    # particularly important for JSONP, which would allow a remote site
-    # to use private data without the user's knowledge, unless we had this
-    # protection in place.) We do allow this for GET /login as we need to
-    # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
-    # can also use for Bugzilla_token support. This is OK as it requires
-    # a login and password to be supplied and will fail if they are not
-    # valid for the user.
-    if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
-        && !($self->bz_class_name eq 'Bugzilla::WebService::User'
-            && $self->bz_method_name eq 'login'))
-    {
-        # XXX There's no particularly good way for us to get a parameter
-        # to Bugzilla->login at this point, so we pass this information
-        # around using request_cache, which is a bit of a hack. The
-        # implementation of it is in Bugzilla::Auth::Login::Stack.
-        Bugzilla->request_cache->{'auth_no_automatic_login'} = 1;
-    }
-
     my $class = $self->bz_class_name;
     my $method = $self->bz_method_name;
     my $full_method = $class . "." . $method;