View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0023225 | mantisbt | authentication | public | 2017-08-16 06:35 | 2017-12-04 02:17 |
Reporter | johgoe | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 2.3.0 | ||||
Target Version | 2.7.0 | Fixed in Version | 2.7.0 | ||
Summary | 0023225: Token API does not work with config show show_realname | ||||
Description | It seems that the process for a token looks like token -> api_token_get_user( $t_authorization_header) -> user_get_name( $t_user_id) -> mci_check_login( $p_username, $p_password ) user_get_name( $t_user_id) will returns the realname if config show_realname is enabled and this will breaks the authentification flow. I guess a new method mci_check_login( $p_user_id, $p_token ) or user_get_username( $t_user_id) is requiered to fix this. | ||||
Tags | No tags attached. | ||||
In our company I added a new function to core/user_api.php
and use this new function instead of user_get_name() in /api/rest/restcore/AuthMiddleware.php#62 |
|
I just faced the exact same problem today. It is not possible to consume REST webservice as an authenticated user when Mantis is configured to use Realname, the request returns an HTTP 403 error (anonymous access works fine). |
|
In AuthMiddleware is still one |
|
Follow up in 0023692 |
|
MantisBT: master 8216e93d 2017-09-04 02:42 Details Diff |
Fix REST API auth with show_realname = ON When accessing the webservice via browser as an authenticated user, and $g_show_realname = ON, the request fails with HTTP 403 error. This is due to using incorrect user_get_name() function to retrieve the user's login name. Calling user_get_field(<id>, 'username') instead. Fixes 0023225 |
Affected Issues 0023225 |
|
mod - api/rest/restcore/AuthMiddleware.php | Diff File | ||
MantisBT: master b6d5eb51 2017-09-08 02:44 Details Diff |
New API function user_get_username() Replaces multiple calls to `user_get_field(<id>, 'username')` and avoids confusion with user_get_name(). As discussed in issue 0023225 and PR https://github.com/mantisbt/mantisbt/pull/1177 Fixes 0023331 |
Affected Issues 0023225, 0023331 |
|
mod - account_update.php | Diff File | ||
mod - api/rest/restcore/AuthMiddleware.php | Diff File | ||
mod - api/soap/mc_account_api.php | Diff File | ||
mod - bug_reminder_page.php | Diff File | ||
mod - core/authentication_api.php | Diff File | ||
mod - core/email_api.php | Diff File | ||
mod - core/filter_form_api.php | Diff File | ||
mod - core/ldap_api.php | Diff File | ||
mod - core/rss_api.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - verify.php | Diff File | ||
MantisBT: master 08d5c400 2017-12-03 00:31 Details Diff |
Fix additional case of REST API auth with show_realname = ON Follow-up on issue 0023225, as reported by @johgoe [1] Fixes 0023692 [1] https://mantisbt.org/bugs/view.php?id=23225#c58294 |
Affected Issues 0023225, 0023692 |
|
mod - api/rest/restcore/AuthMiddleware.php | Diff File |