Makes the API accepts the X-Redmine-API-Key header to hold the API key.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4573 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-31 18:36:07 +01:00 · 2010-12-23 14:49:14 +00:00
parent 283d25d823
commit 07fe46e9df
2 changed files with 26 additions and 3 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -71,10 +71,10 @@ class ApplicationController < ActionController::Base
    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
      # RSS key authentication does not start a session
      User.find_by_rss_key(params[:key])
-    elsif Setting.rest_api_enabled? && ['xml', 'json'].include?(params[:format])
-      if params[:key].present? && accept_key_auth_actions.include?(params[:action])
+    elsif Setting.rest_api_enabled? && api_request?
+      if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
        # Use API key
-        User.find_by_api_key(params[:key])
+        User.find_by_api_key(key)
      else
        # HTTP Basic, either username/password or API key/random
        authenticate_with_http_basic do |username, password|
@@ -402,6 +402,15 @@ class ApplicationController < ActionController::Base
  def api_request?
    %w(xml json).include? params[:format]
  end
+  
+  # Returns the API key present in the request
+  def api_key_from_request
+    if params[:key].present?
+      params[:key]
+    elsif request.headers["X-Redmine-API-Key"].present?
+      request.headers["X-Redmine-API-Key"]
+    end
+  end

  # Renders a warning flash if obj has unsaved attachments
  def render_attachment_warning_if_needed(obj)
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -361,6 +361,20 @@ class ActiveSupport::TestCase
      end
    end
    
+    context "should allow key based auth using X-Redmine-API-Key header for #{http_method} #{url}" do
+      setup do
+        @user = User.generate_with_protected!(:admin => true)
+        @token = Token.generate!(:user => @user, :action => 'api')
+        send(http_method, url, parameters, {'X-Redmine-API-Key' => @token.value.to_s})
+      end
+      
+      should_respond_with success_code
+      should_respond_with_content_type_based_on_url(url)
+      should_be_a_valid_response_string_based_on_url(url)
+      should "login as the user" do
+        assert_equal @user, User.current
+      end
+    end
  end

  # Uses should_respond_with_content_type based on what's in the url: