From 9c5c3b20f521097f106b37fa9fa1c67ecd50f167 Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Fri, 25 Oct 2013 15:00:45 -0400
Subject: Bug 921523 - backport upstream bug 917669 to bmo/4.2 to throw error
 when invalid cookies/tokens are used with webservices

---
 Bugzilla/Auth/Login/Cookie.pm | 17 ++++++++++-------
 Bugzilla/Template.pm          |  5 +----
 Bugzilla/WebService.pm        |  7 +++++++
 3 files changed, 18 insertions(+), 11 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index 4db486a8f..62a6c58a9 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -21,6 +21,7 @@ use base qw(Bugzilla::Auth::Login);
 
 use Bugzilla::Constants;
 use Bugzilla::Util;
+use Bugzilla::Error;
 
 use List::Util qw(first);
 
@@ -88,12 +89,16 @@ sub get_login_info {
                        WHERE cookie = ?", undef, $login_cookie);
             return { user_id => $user_id };
         }
+        elsif (i_am_webservice()) {
+            ThrowUserError('invalid_cookies_or_token');
+        }
     }
 
-    # Either the he cookie is invalid, or we got no cookie. We don't want 
-    # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to 
-    # actually throw an error when it gets a bad cookie. It should just 
-    # look like there was no cookie to begin with.
+    # Either the cookie or token is invalid and we are not authenticating
+    # via a webservice, or we did not receive a cookie or token. We don't
+    # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to
+    # actually throw an error when it gets a bad cookie or token. It should just
+    # look like there was no cookie or token to begin with.
     return { failure => AUTH_NODATA };
 }
 
@@ -104,9 +109,7 @@ sub login_token {
 
     return $self->{'_login_token'} if exists $self->{'_login_token'};
 
-    if ($usage_mode ne USAGE_MODE_XMLRPC
-        && $usage_mode ne USAGE_MODE_JSON
-        && $usage_mode ne USAGE_MODE_REST) {
+    if (!i_am_webservice()) {
         return $self->{'_login_token'} = undef;
     }
 
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b529caf89..c3839b11b 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -832,10 +832,7 @@ sub create {
                 # (Wrapping the message in the WebService is unnecessary
                 # and causes awkward things like \n's appearing in error
                 # messages in JSON-RPC.)
-                unless (Bugzilla->usage_mode == USAGE_MODE_JSON
-                        or Bugzilla->usage_mode == USAGE_MODE_XMLRPC
-                        or Bugzilla->usage_mode == USAGE_MODE_REST)
-                {
+                unless (i_am_webservice()) {
                     $var = wrap_comment($var, 72);
                 }
                 $var =~ s/\&nbsp;/ /g;
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index c930b02dc..60642c5e8 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -188,6 +188,13 @@ For REST, you may also use the C<username> and C<password> variable
 names instead of C<Bugzilla_login> and C<Bugzilla_password> as a
 convenience.
 
+=item B<Added in Bugzilla 5.0>
+
+An error is now thrown if you pass invalid cookies or an invalid token.
+You will need to log in again to get new cookies or a new token. Previous
+releases simply ignored invalid cookies and token support was added in
+Bugzilla B<5.0>.
+
 =back
 
 =head1 STABLE, EXPERIMENTAL, and UNSTABLE
-- 
cgit v1.2.3-24-g4f1b