From fd29ee56c4678749c00e7698ef245f7e2967ee10 Mon Sep 17 00:00:00 2001
From: Simon Green <sgreen@redhat.com>
Date: Sun, 27 Jul 2014 18:47:21 +1000
Subject: Bug 726696 - All authenticated WebServices methods should require
 username/pass, token or a valid API key for authentication r=dkl, a=sgreen

---
 Bugzilla/WebService.pm | 34 ++++++++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 6 deletions(-)

(limited to 'Bugzilla/WebService.pm')

diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 1dc04c1f6..d12d4dbac 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -134,14 +134,22 @@ how this is implemented for those frontends.
 
 =head1 LOGGING IN
 
-There are various ways to log in:
+Some methods do not require you to log in. An example of this is Bug.get.
+However, authenticating yourself allows you to see non public information. For
+example, a bug that is not publicly visible.
+
+There are two ways to authenticate yourself:
 
 =over
 
-=item C<User.login>
+=item C<Bugzilla_api_key>
 
-You can use L<Bugzilla::WebService::User/login> to log in as a Bugzilla
-user. This issues a token that you must then use in future calls.
+B<Added in Bugzilla 5.0>
+
+You can specify C<Bugzilla_api_key> as an argument to any WebService method, and
+you will be logged in as that user if the key is correct, and has not been
+revoked. You can set up an API key by using the 'API Key' tab in the
+Preferences pages.
 
 =item C<Bugzilla_login> and C<Bugzilla_password>
 
@@ -164,15 +172,29 @@ then your login will only be valid for your IP address.
 =back
 
 The C<Bugzilla_restrictlogin> option is only used when you have also
-specified C<Bugzilla_login> and C<Bugzilla_password>.
+specified C<Bugzilla_login> and C<Bugzilla_password>. This value will be
+deprecated in the release after Bugzilla 5.0 and you will be required to
+pass the Bugzilla_login and Bugzilla_password for every call.
 
 For REST, you may also use the C<login> and C<password> variable
 names instead of C<Bugzilla_login> and C<Bugzilla_password> as a
 convenience. You may also use C<token> instead of C<Bugzilla_token>.
 
+=back
+
+There are also two deprecreated methods of authentications. This will be
+removed in the version after Bugzilla 5.0.
+
+=over
+
+=item C<User.login>
+
+You can use L<Bugzilla::WebService::User/login> to log in as a Bugzilla
+user. This issues a token that you must then use in future calls.
+
 =item C<Bugzilla_token>
 
-B<Added in Bugzilla 5.0>
+B<Added in Bugzilla 4.4.3>
 
 You can specify C<Bugzilla_token> as argument to any WebService method,
 and you will be logged in as that user if the token is correct. This is
-- 
cgit v1.2.3-24-g4f1b