0033019: X-Mantis-Version headers sent when REST API is disabled

ID	Project	Category	View Status	Date Submitted	Last Update
0033019	mantisbt	api rest	public	2023-10-16 09:08	2025-12-13 12:16

Reporter	dregad	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Target Version	2.29.0

Summary	0033019: X-Mantis-Version headers sent when REST API is disabled
Description	The REST API tries to authenticate the user and returns the X-Mantis-Version header even when it is disabled and/or the authentication fails.
Steps To Reproduce	set `$g_webservice_rest_enabled = OFF;` execute `curl -is http://localhost/mantisbt/api/rest/` `HTTP/1.1 401 API token required Date: Sun, 15 Oct 2023 16:06:54 GMT Server: Apache/2.4.52 (Debian) Set-Cookie: PHPSESSID=ukcnd48i76p4vegpqg67n9ov1l; path=/; HttpOnly Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Last-Modified: Tue, 11 Apr 2023 22:55:08 GMT X-Mantis-Version: 2.25.7 Content-Length: 0 Content-Type: text/html; charset=UTF-8` Notice 401 API token required response (expected: 503 API disabled) presence of X-Mantis-Version header (should not be shown)
Additional Information	Originally reported by @PR_CSO in 0033017:0068220
Tags	No tags attached.

related to	0034784	new		Retire `webservice_rest_enabled` config option
related to	0033017	closed	dregad	Mantis version visible in REST API request headers even when $g_show_version is OFF

vboctor 2024-09-29 21:44 manager ~0069294	See 0034784 which should retire the `$g_webservice_rest_enabled` config option.