358354 - WebService should perform a login in xmlrpc.cgi

Status: RESOLVED FIXED

(Bugzilla :: WebService, defect)

Description

[Mads Bondo Dydensborg]

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.2 (like Gecko) Kubuntu 6.06 Dapper
Build Identifier: 

The registration of this bug, is inspired by a comment made by mkanat, in relation to bug 356816 (https://bugzilla.mozilla.org/show_bug.cgi?id=356816#c8)

"
>+    Bugzilla->login;

  I don't think this needs to be here, but only because I think it should be
elsewhere, in the original webservice processing code, or in xmlrpc.cgi.
"

The webservice interface, as it currently is, does check for an users login in each method. This works.

However, all the patches for the webservice functionality, seems to assume that login is handled _before_ a function is called. This seems a rational approach, although I am not sure how it should be implemented.

Reproducible: Always

Comment 1

[Mads Bondo Dydensborg]

This should have the same milestone as the other patches for WebService.

Also, this potentially blocks a number of bugs: 349256 352879 355837 355839 355847 357322

Comment 2

[Mads Bondo Dydensborg]

This was initially tried in bug 357322, but the patch was broken, and it turned out that doing this was somewhat more complicated than initially thought. Apparently, some conflict with the SOAP::Lite modules header handling (or similar) made it break.

It was decided to postpone doing the login to later. Until that, methods may have to perform a Bugzilla->login; as neccessary.

Comment 3

[Max Kanat-Alexander]

There are probably several functions that won't work correctly unless we do this.

Comment 4

[Mads Bondo Dydensborg]

(In reply to comment #3)
> There are probably several functions that won't work correctly unless we do
> this.
> 
Yes.

I regret having to say, that I have no idea how to implement this. So, no patch will be forthcoming from me. :-(

Comment 5

[Frédéric Buclin]

(In reply to comment #3)
> There are probably several functions that won't work correctly unless we do
> this.

Which ones? If you have none in mind, we could probably remove the blocking3.0+ flag, but still fix it in 3.0 (e.g. 3.0.1).

Comment 6

[Max Kanat-Alexander]

These need to be fixed, or we need to put login inside xmlrpc.cgi somehow:

Bug::get_bugs
Bug::legal_values (for requirelogin installations)
Product::get_selectable_products
Product::get_enterable_products
Product::get_accessible_products
Product::get_products
User::create

Some functions need to be excluded from the >login call, for technical reasons and for requirelogin reasons:

Bugzilla->login
Bugzilla::User::offer_account_by_email

Comment 7

[Max Kanat-Alexander]

Attachment: v1

Okay, this is pretty straightforward. I've tested it, and it indeed seems to work.

Comment 8

[Frédéric Buclin]

Comment on attachment 253943 [details] [diff] [review]
v1

Looks good to me. This patch allows me to see security bugs if I have enough privs. r=LpSolit (note that I'm not a SOAP expert, though)

Comment 9

[Max Kanat-Alexander]

Checking in xmlrpc.cgi;
/cvsroot/mozilla/webtools/bugzilla/xmlrpc.cgi,v  <--  xmlrpc.cgi
new revision: 1.2; previous revision: 1.1
done
Checking in Bugzilla/WebService.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService.pm,v  <--  WebService.pm
new revision: 1.5; previous revision: 1.4
done
Checking in Bugzilla/WebService/Constants.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm,v  <--  Constants.pm
new revision: 1.6; previous revision: 1.5
done
Checking in Bugzilla/WebService/User.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/User.pm,v  <--  User.pm
new revision: 1.4; previous revision: 1.3
done