diff options
author | Dave Lawrence <dlawrence@mozilla.com> | 2013-10-25 21:00:45 +0200 |
---|---|---|
committer | Dave Lawrence <dlawrence@mozilla.com> | 2013-10-25 21:00:45 +0200 |
commit | 9c5c3b20f521097f106b37fa9fa1c67ecd50f167 (patch) | |
tree | abda009ec13da7749f887f3ad4efef19ff8ee14e /Bugzilla | |
parent | bc3208378008a78c3cc2494eecd7f5144c7c79fa (diff) | |
download | bugzilla-9c5c3b20f521097f106b37fa9fa1c67ecd50f167.tar.gz bugzilla-9c5c3b20f521097f106b37fa9fa1c67ecd50f167.tar.xz |
Bug 921523 - backport upstream bug 917669 to bmo/4.2 to throw error when invalid cookies/tokens are used with webservices
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/Auth/Login/Cookie.pm | 17 | ||||
-rw-r--r-- | Bugzilla/Template.pm | 5 | ||||
-rw-r--r-- | Bugzilla/WebService.pm | 7 |
3 files changed, 18 insertions, 11 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 4db486a8f..62a6c58a9 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -21,6 +21,7 @@ use base qw(Bugzilla::Auth::Login); use Bugzilla::Constants; use Bugzilla::Util; +use Bugzilla::Error; use List::Util qw(first); @@ -88,12 +89,16 @@ sub get_login_info { WHERE cookie = ?", undef, $login_cookie); return { user_id => $user_id }; } + elsif (i_am_webservice()) { + ThrowUserError('invalid_cookies_or_token'); + } } - # Either the he cookie is invalid, or we got no cookie. We don't want - # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to - # actually throw an error when it gets a bad cookie. It should just - # look like there was no cookie to begin with. + # Either the cookie or token is invalid and we are not authenticating + # via a webservice, or we did not receive a cookie or token. We don't + # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to + # actually throw an error when it gets a bad cookie or token. It should just + # look like there was no cookie or token to begin with. return { failure => AUTH_NODATA }; } @@ -104,9 +109,7 @@ sub login_token { return $self->{'_login_token'} if exists $self->{'_login_token'}; - if ($usage_mode ne USAGE_MODE_XMLRPC - && $usage_mode ne USAGE_MODE_JSON - && $usage_mode ne USAGE_MODE_REST) { + if (!i_am_webservice()) { return $self->{'_login_token'} = undef; } diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index b529caf89..c3839b11b 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -832,10 +832,7 @@ sub create { # (Wrapping the message in the WebService is unnecessary # and causes awkward things like \n's appearing in error # messages in JSON-RPC.) - unless (Bugzilla->usage_mode == USAGE_MODE_JSON - or Bugzilla->usage_mode == USAGE_MODE_XMLRPC - or Bugzilla->usage_mode == USAGE_MODE_REST) - { + unless (i_am_webservice()) { $var = wrap_comment($var, 72); } $var =~ s/\ / /g; diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index c930b02dc..60642c5e8 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -188,6 +188,13 @@ For REST, you may also use the C<username> and C<password> variable names instead of C<Bugzilla_login> and C<Bugzilla_password> as a convenience. +=item B<Added in Bugzilla 5.0> + +An error is now thrown if you pass invalid cookies or an invalid token. +You will need to log in again to get new cookies or a new token. Previous +releases simply ignored invalid cookies and token support was added in +Bugzilla B<5.0>. + =back =head1 STABLE, EXPERIMENTAL, and UNSTABLE |