プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #79678

完了

Use HTTP status code 403 instead of 401 when REST API is disabled

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
REST API_32
対象バージョン:
4.1.0_127
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/30086
category_id:
32
version_id:
127
issue_org_id:
30086
author_id:
332
assigned_to_id:
332
comments:
8
status_id:
5
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Closed]
引用

説明

Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.

$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml
HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/xml
WWW-Authenticate: Basic realm="Redmine API"
Cache-Control: no-cache
X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2
X-Runtime: 0.019368
Transfer-Encoding: chunked

With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.

I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".

journals

--------------------------------------------------------------------------------
Regardless of whether authentication is valid or not, if you disable the REST API feature it responds with HTTP status code 403(Forbidden).
I made a patch, and attach it.
--------------------------------------------------------------------------------
I'm in favour of this change.
--------------------------------------------------------------------------------
Setting the target version to 4.1.0.
--------------------------------------------------------------------------------
Returning 403 in the situation is consistent. In incoming emails API, MailHandlerController returns 403 if "WS for incoming emails" is disabled. Please see source:tags/4.0.0/app/controllers/mail_handler_controller.rb#L41.

--------------------------------------------------------------------------------
Removed an unnecessary test_with_valid_username_and_wrong_password_http_authentication from the patch.
--------------------------------------------------------------------------------
Committed the patch. Thank you.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

relates,Closed,32315,Impossible to validate API key without modifying anything

操作
リンクをコピー
 #1

Admin Redmine さんが3年以上前に更新

  • カテゴリREST API_32 にセット
  • 対象バージョン4.1.0_127 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org