summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Auth.pm7
-rw-r--r--Bugzilla/WebService/Server/REST.pm7
2 files changed, 12 insertions, 2 deletions
diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index 6583d4e8b..88eadbe19 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -172,8 +172,11 @@ sub _handle_login_result {
# because the persistance information can't be re-used again.
# (See Bugzilla::WebService::Server::JSONRPC for more info.)
if ($self->{_info_getter}->{successful}->requires_persistence
- and !Bugzilla->request_cache->{auth_no_automatic_login})
- {
+ and !(
+ Bugzilla->request_cache->{auth_no_automatic_login}
+ || Bugzilla->request_cache->{dont_persist_session}
+ )
+ ) {
$user->{_login_token} = $self->{_persister}->persist_login($user);
}
}
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 858375247..d94fb1d81 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -189,6 +189,13 @@ sub handle_login {
my $full_method = $class . "." . $method;
$full_method =~ s/^Bugzilla::WebService:://;
+ # We never want to create a new session unless the user is calling the
+ # login method. Setting dont_persist_session makes
+ # Bugzilla::Auth::_handle_login_result() skip calling persist_login().
+ if ($full_method ne 'User.login') {
+ Bugzilla->request_cache->{dont_persist_session} = 1;
+ }
+
# Bypass JSONRPC::handle_login
Bugzilla::WebService::Server->handle_login($class, $method, $full_method);
}