Open Bug 1462349 Opened 7 years ago Updated 5 years ago

REST API incorrectly returns HTTP 200 for some private bugs

Categories

(Bugzilla :: WebService, defect)

Product:
Bugzilla
Component:
WebService
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: mars, Unassigned)

Details

I've written a script that processes bug data using the Bugzilla REST API and the Python Requests library. I use the API as an unauthenticated user. For private bugs I expected the API to return HTTP 401 for confidential bugs. However, on occasion a confidential bug will return a HTTP 200 instead of a HTTP 401, and my scripts blow up. Switching to other tools like httpie, curl, or the Python console will sometimes return the correct HTTP 401 with an API error JSON content body, or it might incorrectly return HTTP 200 with an API error JSON content body. It's inconsistent. The http client in the original script that generated the error will consistently return the incorrect HTTP 200 on later runs. The script is effectively blocked from proceeding. Because the HTTP status code is unreliable I have to work around this by inspecting the body of every API response to see if the request generated an API error or the data I want. Here is an interaction reproducing the bug using a Python 3.6.4 console and the latest version of python-requests: >>> import requests >>> response = requests.get('https://bugzilla.mozilla.org/rest/bug/1457703/attachment?exclude_fields=data') >>> response <Response [200]> >>> response.status_code 200 >>> response.json() {'documentation': 'https://bmo.readthedocs.org/en/latest/api/', 'error': True, 'code': 102, 'message': 'You are not authorized to access bug 1457703. To see this bug, you must first log in to an account with the appropriate permissions.'} >>> response.request.headers {'User-Agent': 'python-requests/2.18.4', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} >>> response.headers {'Access-control-allow-headers': 'accept, content-type, origin, user-agent, x-requested-with, x-bugzilla-token, x-bugzilla-password, x-bugzilla-login, x-bugzilla-api-key', 'Access-control-allow-origin': '*', 'Content-Type': 'application/json; charset=UTF-8', 'Date': 'Thu, 10 May 2018 18:13:12 GMT', 'Etag': '2Ssy/emq0fRHb3vK2olQ+w', 'Set-Cookie': 'Bugzilla_login_request_cookie=7K1FAUuGKC; path=/; secure; HttpOnly; SameSite=Lax, github_secret=7X4ceKlDq0Bu3p4Yi9W3XBtyOf5g5c29hZvsZc4GHxbx2gPLwOxOuH3mdQEt5mkbLnSKT8gdBcDsfqJmgMpaBbIy2vfARRaarkOwewOpUi3apKOnlL4PFGeNZguowLFkhAQ4Hc9XKgQ2bPqDoWjYQc1eDVd0z1OpfhEFSptV3ZJ4MZjjm4sjfV4AuSO4cwn228AY5unhTG2jVChbCiRgGSkjS9u6d6vvbsTwj1O6fexaq3bIljLHncVCrSYLkEoU; path=/; secure; HttpOnly; SameSite=Lax', 'Strict-transport-security': 'max-age=31536000; includeSubDomains', 'X-content-type-options': 'nosniff', 'X-frame-options': 'SAMEORIGIN', 'X-xss-protection': '1; mode=block', 'Content-Length': '231', 'Connection': 'keep-alive'}
You need to log in before you can comment on or make changes to this bug.