summaryrefslogtreecommitdiffstats
path: root/xml.cgi
diff options
context:
space:
mode:
authorVladimir Panteleev <github.private@thecybershadow.net>2018-04-03 20:40:18 +0200
committerDylan William Hardison <dylan@hardison.net>2018-04-03 20:40:18 +0200
commit956abd838811d93329ad5e3eee030d1f43a81652 (patch)
tree5b935b721176c936bc1a733618cc5055c1d12380 /xml.cgi
parentd6649d2aa6be0328d7a605a76655923781d147da (diff)
downloadbugzilla-956abd838811d93329ad5e3eee030d1f43a81652.tar.gz
bugzilla-956abd838811d93329ad5e3eee030d1f43a81652.tar.xz
Bug 1450920 - Don't pass blank API token to JSON-PRC in instant search
When an API token is seen by JSON-RPC, it will attempt to authenticate it, including blank tokens (empty strings). Thus, avoid passing an empty string in the first place. The pattern to pass an empty string if the absence of BUGZILLA.api_token is the most common way to include the Bugzilla_api_token in the JSON-PRC requests. However, most places which pass a token to JSON-RPC in JavaScript are in contexts where a user is expected to be logged in, and this is not the case for instant search. Although this could have been fixed by patching Bugzilla::Auth::Login::Cookie::get_login_info to treat empty API tokens as if none were given, this method was chosen, as this is also the approach used in the ProdCompSearch extension (where a login session also does not need to be required), and to avoid possible breakage in JSON-RPC consumers.
Diffstat (limited to 'xml.cgi')
0 files changed, 0 insertions, 0 deletions