diff options
author | Vladimir Panteleev <github.private@thecybershadow.net> | 2018-04-03 20:40:18 +0200 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2018-04-03 20:40:18 +0200 |
commit | 956abd838811d93329ad5e3eee030d1f43a81652 (patch) | |
tree | 5b935b721176c936bc1a733618cc5055c1d12380 /editsettings.cgi | |
parent | d6649d2aa6be0328d7a605a76655923781d147da (diff) | |
download | bugzilla-956abd838811d93329ad5e3eee030d1f43a81652.tar.gz bugzilla-956abd838811d93329ad5e3eee030d1f43a81652.tar.xz |
Bug 1450920 - Don't pass blank API token to JSON-PRC in instant search
When an API token is seen by JSON-RPC, it will attempt to authenticate
it, including blank tokens (empty strings). Thus, avoid passing an
empty string in the first place.
The pattern to pass an empty string if the absence of
BUGZILLA.api_token is the most common way to include the
Bugzilla_api_token in the JSON-PRC requests. However, most places
which pass a token to JSON-RPC in JavaScript are in contexts where a
user is expected to be logged in, and this is not the case for instant
search.
Although this could have been fixed by patching
Bugzilla::Auth::Login::Cookie::get_login_info to treat empty API
tokens as if none were given, this method was chosen, as this is also
the approach used in the ProdCompSearch extension (where a login
session also does not need to be required), and to avoid possible
breakage in JSON-RPC consumers.
Diffstat (limited to 'editsettings.cgi')
0 files changed, 0 insertions, 0 deletions