You are here: Foswiki>Tasks Web>Item13001 (21 Sep 2015, MichaelDaum)Edit Attach

Item13001: fully specify security setting for REST services provided by plugins

pencil
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Reported By: MichaelDaum
Waiting For:
Last Change By: MichaelDaum
This task may be used to fix any extension that provides a REST service but still does not fully specify its security requirements while registering the service to the core.

See also Item12839 and Development.AllowGuestsToUseRESTAsDefault

Please extend the list of affected extesnions in the form below:

CaptchaPlugin, ClassificationPlugin, HarvestPlugin, ImagePlugin, JQGridPlugin, NewUserPlugin, PageOptimizerPlugin, PiwikPlugin, RenderPlugin, TopicInteractionPlugin, TrashPlugin, UpdateAttachmentsPlugin

-- MichaelDaum - 28 Aug 2014

Unfortunately these changes will result in REST handlers of these plugins not being usable on the commandline in Foswiki-1.1.9. Below patch backports relevant fixes from trunk

diff --git a/lib/Foswiki/UI/Rest.pm b/lib/Foswiki/UI/Rest.pm
index f24e7bf..5c2b777 100644
--- a/lib/Foswiki/UI/Rest.pm
+++ b/lib/Foswiki/UI/Rest.pm
@@ -190,6 +190,7 @@ sub rest {
 
     # Check the method is allowed
     if ( $record->{http_allow} && defined $req->method() ) {
+      unless ( $session->inContext('command_line') ) {
         my %allowed = map { $_ => 1 } split( /[,\s]+/, $record->{http_allow} );
         unless ( $allowed{ uc( $req->method() ) } ) {
             $res->header( -type => 'text/html', -status => '405' );
@@ -198,12 +199,14 @@ sub rest {
             $res->print($err);
             throw Foswiki::EngineException( 404, $err, $res );
         }
+      }
     }
 
     # Check someone is logged in
     if ( $record->{authenticate} ) {
         unless ( $session->inContext('authenticated')
-            || $Foswiki::cfg{LoginManager} eq 'none' )
+            || $Foswiki::cfg{LoginManager} eq 'none' 
+            || $session->inContext('command_line') )
         {
             $res->header( -type => 'text/html', -status => '401' );
             $err = "ERROR: (401) $pathInfo requires you to be logged in";
@@ -213,7 +216,11 @@ sub rest {
     }
 
     # Validate the request
-    if ( $record->{validate} ) {
+    if (   $record->{validate}
+        && $Foswiki::cfg{Validation}{Method} ne 'none'
+        && !$session->inContext('command_line') )
+    {
+
         my $nonce = $req->param('validation_key');
         if (
             !defined($nonce)

-- MichaelDaum - 05 Dec 2014
 
Topic revision: r5 - 21 Sep 2015, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy