From 243d66a36e96729452b031b0cf67eed53c221782 Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Mon, 9 Mar 2015 14:10:36 +0800 Subject: Bug 1139257: allow cookie+api-token GET REST requests r=dkl,a=glob --- Bugzilla/WebService/Server/REST.pm | 23 ----------------------- 1 file changed, 23 deletions(-) (limited to 'Bugzilla/WebService') diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm index b3d35595f..940045b26 100644 --- a/Bugzilla/WebService/Server/REST.pm +++ b/Bugzilla/WebService/Server/REST.pm @@ -167,29 +167,6 @@ sub response { sub handle_login { my $self = shift; - - # If we're being called using GET, we don't allow cookie-based or Env - # login, because GET requests can be done cross-domain, and we don't - # want private data showing up on another site unless the user - # explicitly gives that site their username and password. (This is - # particularly important for JSONP, which would allow a remote site - # to use private data without the user's knowledge, unless we had this - # protection in place.) We do allow this for GET /login as we need to - # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we - # can also use for Bugzilla_token support. This is OK as it requires - # a login and password to be supplied and will fail if they are not - # valid for the user. - if (!grep($_ eq $self->request->method, ('POST', 'PUT')) - && !($self->bz_class_name eq 'Bugzilla::WebService::User' - && $self->bz_method_name eq 'login')) - { - # XXX There's no particularly good way for us to get a parameter - # to Bugzilla->login at this point, so we pass this information - # around using request_cache, which is a bit of a hack. The - # implementation of it is in Bugzilla::Auth::Login::Stack. - Bugzilla->request_cache->{'auth_no_automatic_login'} = 1; - } - my $class = $self->bz_class_name; my $method = $self->bz_method_name; my $full_method = $class . "." . $method; -- cgit v1.2.3-24-g4f1b