View Issue Details

IDProjectCategoryView StatusLast Update
0023225mantisbtauthenticationpublic2017-12-04 02:17
ReporterjohgoeAssigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.3.0 
Target Version2.7.0Fixed in Version2.7.0 
Summary0023225: Token API does not work with config show show_realname
Description

It seems that the process for a token looks like

token -> api_token_get_user( $t_authorization_header) -> user_get_name( $t_user_id) -> mci_check_login( $p_username, $p_password )

user_get_name( $t_user_id) will returns the realname if config show_realname is enabled and this will breaks the authentification flow.

I guess a new method mci_check_login( $p_user_id, $p_token ) or user_get_username( $t_user_id) is requiered to fix this.

TagsNo tags attached.

Relationships

related to 0023331 closeddregad New user_get_username() API function 
related to 0023692 closeddregad Token API does not work with config show show_realname 

Activities

johgoe

johgoe

2017-08-16 07:51

reporter   ~0057478

In our company I added a new function to core/user_api.php

/**
 * return the username or a string "user<id>" if the user does not exist
 *
 * <span class="mention"><a class="user" href="https://mantisbt.org/bugs/view_user_page.php?id=31304">@param</a></span> integer $p_user_id A valid user identifier.
 * @return string
 */
function user_get_username( $p_user_id ) {
    $t_row = user_cache_row( $p_user_id, false );

    if( false == $t_row ) {
        return lang_get( 'prefix_for_deleted_users' ) . (int)$p_user_id;
    } else {
        return $t_row['username'];      
    }
}

and use this new function instead of user_get_name() in /api/rest/restcore/AuthMiddleware.php#62

dregad

dregad

2017-09-04 06:36

developer   ~0057604

I just faced the exact same problem today.

It is not possible to consume REST webservice as an authenticated user when Mantis is configured to use Realname, the request returns an HTTP 403 error (anonymous access works fine).

dregad

dregad

2017-09-04 07:03

developer   ~0057605

PR https://github.com/mantisbt/mantisbt/pull/1177

johgoe

johgoe

2017-12-01 13:31

reporter   ~0058294

In AuthMiddleware is still one $t_username = user_get_name( $t_user_id ); instead of $t_username = user_get_username( $t_user_id ); (Line 62)

dregad

dregad

2017-12-03 05:36

developer   ~0058304

In AuthMiddleware is still one $t_username = user_get_name( $t_user_id ); instead of $t_username = user_get_username( $t_user_id ); (Line 62)

Follow up in 0023692

Related Changesets

MantisBT: master 8216e93d

2017-09-04 06:42:37

dregad

Details Diff
Fix REST API auth with show_realname = ON

When accessing the webservice via browser as an authenticated user, and
$g_show_realname = ON, the request fails with HTTP 403 error.

This is due to using incorrect user_get_name() function to retrieve the
user's login name.

Calling user_get_field(<id>, 'username') instead.

Fixes 0023225
mod - api/rest/restcore/AuthMiddleware.php Diff File

MantisBT: master b6d5eb51

2017-09-08 06:44:23

dregad

Details Diff
New API function user_get_username()

Replaces multiple calls to `user_get_field(<id>, 'username')` and avoids
confusion with user_get_name().

As discussed in issue 0023225 and PR https://github.com/mantisbt/mantisbt/pull/1177

Fixes 0023331
mod - account_update.php Diff File
mod - api/rest/restcore/AuthMiddleware.php Diff File
mod - api/soap/mc_account_api.php Diff File
mod - bug_reminder_page.php Diff File
mod - core/authentication_api.php Diff File
mod - core/email_api.php Diff File
mod - core/filter_form_api.php Diff File
mod - core/ldap_api.php Diff File
mod - core/rss_api.php Diff File
mod - core/user_api.php Diff File
mod - verify.php Diff File

MantisBT: master 08d5c400

2017-12-03 05:31:57

dregad

Details Diff
Fix additional case of REST API auth with show_realname = ON

Follow-up on issue 0023225, as reported by @johgoe [1]

Fixes 0023692

[1] https://mantisbt.org/bugs/view.php?id=23225#c58294
mod - api/rest/restcore/AuthMiddleware.php Diff File

Issue History

Date Modified Username Field Change
2017-08-16 06:35 johgoe New Issue
2017-08-16 07:51 johgoe Note Added: 0057478
2017-09-04 06:36 dregad Status new => confirmed
2017-09-04 06:36 dregad Note Added: 0057604
2017-09-04 06:36 dregad Product Version => 2.3.0
2017-09-04 06:36 dregad Target Version => 2.7.0
2017-09-04 07:03 dregad Assigned To => dregad
2017-09-04 07:03 dregad Status confirmed => assigned
2017-09-04 07:03 dregad Note Added: 0057605
2017-09-08 10:10 dregad Relationship added related to 0023331
2017-09-09 18:13 dregad Changeset attached => MantisBT master 8216e93d
2017-09-09 18:13 dregad Changeset attached => MantisBT master b6d5eb51
2017-09-09 18:13 dregad Status assigned => resolved
2017-09-09 18:13 dregad Resolution open => fixed
2017-09-09 18:13 dregad Fixed in Version => 2.7.0
2017-10-08 23:53 vboctor Status resolved => closed
2017-12-01 13:31 johgoe Status closed => feedback
2017-12-01 13:31 johgoe Resolution fixed => reopened
2017-12-01 13:31 johgoe Note Added: 0058294
2017-12-03 05:35 dregad Issue cloned: 0023692
2017-12-03 05:35 dregad Relationship added related to 0023692
2017-12-03 05:36 dregad Status feedback => resolved
2017-12-03 05:36 dregad Resolution reopened => fixed
2017-12-03 05:36 dregad Note Added: 0058304
2017-12-03 05:37 dregad Changeset attached => MantisBT master 08d5c400
2017-12-04 02:17 vboctor Status resolved => closed