View Issue Details

IDProjectCategoryView StatusLast Update
0023225mantisbtauthenticationpublic2017-12-04 02:17
Reporterjohgoe Assigned Todregad  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.3.0 
Target Version2.7.0Fixed in Version2.7.0 
Summary0023225: Token API does not work with config show show_realname
Description

It seems that the process for a token looks like

token -> api_token_get_user( $t_authorization_header) -> user_get_name( $t_user_id) -> mci_check_login( $p_username, $p_password )

user_get_name( $t_user_id) will returns the realname if config show_realname is enabled and this will breaks the authentification flow.

I guess a new method mci_check_login( $p_user_id, $p_token ) or user_get_username( $t_user_id) is requiered to fix this.

TagsNo tags attached.

Relationships

related to 0023331 closeddregad New user_get_username() API function 
related to 0023692 closeddregad Token API does not work with config show show_realname 

Activities

johgoe

johgoe

2017-08-16 07:51

reporter   ~0057478

In our company I added a new function to core/user_api.php

/**
 * return the username or a string "user<id>" if the user does not exist
 *
 * @param integer $p_user_id A valid user identifier.
 * @return string
 */
function user_get_username( $p_user_id ) {
    $t_row = user_cache_row( $p_user_id, false );

    if( false == $t_row ) {
        return lang_get( 'prefix_for_deleted_users' ) . (int)$p_user_id;
    } else {
        return $t_row['username'];      
    }
}

and use this new function instead of user_get_name() in /api/rest/restcore/AuthMiddleware.php#62

dregad

dregad

2017-09-04 06:36

developer   ~0057604

I just faced the exact same problem today.

It is not possible to consume REST webservice as an authenticated user when Mantis is configured to use Realname, the request returns an HTTP 403 error (anonymous access works fine).

dregad

dregad

2017-09-04 07:03

developer   ~0057605

PR https://github.com/mantisbt/mantisbt/pull/1177

johgoe

johgoe

2017-12-01 13:31

reporter   ~0058294

In AuthMiddleware is still one $t_username = user_get_name( $t_user_id ); instead of $t_username = user_get_username( $t_user_id ); (Line 62)

dregad

dregad

2017-12-03 05:36

developer   ~0058304

In AuthMiddleware is still one $t_username = user_get_name( $t_user_id ); instead of $t_username = user_get_username( $t_user_id ); (Line 62)

Follow up in 0023692

Related Changesets

MantisBT: master 8216e93d

2017-09-04 02:42

dregad


Details Diff
Fix REST API auth with show_realname = ON

When accessing the webservice via browser as an authenticated user, and
$g_show_realname = ON, the request fails with HTTP 403 error.

This is due to using incorrect user_get_name() function to retrieve the
user's login name.

Calling user_get_field(<id>, 'username') instead.

Fixes 0023225
Affected Issues
0023225
mod - api/rest/restcore/AuthMiddleware.php Diff File

MantisBT: master b6d5eb51

2017-09-08 02:44

dregad


Details Diff
New API function user_get_username()

Replaces multiple calls to `user_get_field(<id>, 'username')` and avoids
confusion with user_get_name().

As discussed in issue 0023225 and PR https://github.com/mantisbt/mantisbt/pull/1177

Fixes 0023331
Affected Issues
0023225, 0023331
mod - account_update.php Diff File
mod - api/rest/restcore/AuthMiddleware.php Diff File
mod - api/soap/mc_account_api.php Diff File
mod - bug_reminder_page.php Diff File
mod - core/authentication_api.php Diff File
mod - core/email_api.php Diff File
mod - core/filter_form_api.php Diff File
mod - core/ldap_api.php Diff File
mod - core/rss_api.php Diff File
mod - core/user_api.php Diff File
mod - verify.php Diff File

MantisBT: master 08d5c400

2017-12-03 00:31

dregad


Details Diff
Fix additional case of REST API auth with show_realname = ON

Follow-up on issue 0023225, as reported by @johgoe [1]

Fixes 0023692

[1] https://mantisbt.org/bugs/view.php?id=23225#c58294
Affected Issues
0023225, 0023692
mod - api/rest/restcore/AuthMiddleware.php Diff File