From 243d66a36e96729452b031b0cf67eed53c221782 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Mon, 9 Mar 2015 14:10:36 +0800
Subject: Bug 1139257: allow cookie+api-token GET REST requests r=dkl,a=glob

---
 Bugzilla/Auth/Login/Cookie.pm      | 26 ++++++++++++++++++--------
 Bugzilla/WebService/Server/REST.pm | 23 -----------------------
 2 files changed, 18 insertions(+), 31 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index c09f08d24..3139e127b 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -54,15 +54,25 @@ sub get_login_info {
 
         # If the call is for a web service, and an api token is provided, check
         # it is valid.
-        if (i_am_webservice() && Bugzilla->input_params->{Bugzilla_api_token}) {
-            my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
-            my ($token_user_id, undef, undef, $token_type)
-                = Bugzilla::Token::GetTokenData($api_token);
-            if (!defined $token_type
-                || $token_type ne 'api_token'
-                || $user_id != $token_user_id)
+        if (i_am_webservice()) {
+            if ($login_cookie
+                && Bugzilla->usage_mode == USAGE_MODE_REST
+                && !exists Bugzilla->input_params->{Bugzilla_api_token})
             {
-                ThrowUserError('auth_invalid_token', { token => $api_token });
+                # REST requires an api-token when using cookie authentication
+                # fall back to a non-authenticated request
+                $login_cookie = '';
+
+            } elsif (Bugzilla->input_params->{Bugzilla_api_token}) {
+                my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
+                my ($token_user_id, undef, undef, $token_type)
+                    = Bugzilla::Token::GetTokenData($api_token);
+                if (!defined $token_type
+                    || $token_type ne 'api_token'
+                    || $user_id != $token_user_id)
+                {
+                    ThrowUserError('auth_invalid_token', { token => $api_token });
+                }
             }
         }
     }
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index b3d35595f..940045b26 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -167,29 +167,6 @@ sub response {
 
 sub handle_login {
     my $self = shift;
-
-    # If we're being called using GET, we don't allow cookie-based or Env
-    # login, because GET requests can be done cross-domain, and we don't
-    # want private data showing up on another site unless the user
-    # explicitly gives that site their username and password. (This is
-    # particularly important for JSONP, which would allow a remote site
-    # to use private data without the user's knowledge, unless we had this
-    # protection in place.) We do allow this for GET /login as we need to
-    # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
-    # can also use for Bugzilla_token support. This is OK as it requires
-    # a login and password to be supplied and will fail if they are not
-    # valid for the user.
-    if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
-        && !($self->bz_class_name eq 'Bugzilla::WebService::User'
-            && $self->bz_method_name eq 'login'))
-    {
-        # XXX There's no particularly good way for us to get a parameter
-        # to Bugzilla->login at this point, so we pass this information
-        # around using request_cache, which is a bit of a hack. The
-        # implementation of it is in Bugzilla::Auth::Login::Stack.
-        Bugzilla->request_cache->{'auth_no_automatic_login'} = 1;
-    }
-
     my $class = $self->bz_class_name;
     my $method = $self->bz_method_name;
     my $full_method = $class . "." . $method;
-- 
cgit v1.2.3-24-g4f1b