Item13001: fully specify security setting for REST services provided by plugins
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: CaptchaPlugin,
ClassificationPlugin,
HarvestPlugin,
ImagePlugin,
JQGridPlugin,
NewUserPlugin,
PageOptimizerPlugin,
PiwikPlugin,
RenderPlugin,
TopicInteractionPlugin,
TrashPlugin,
UpdateAttachmentsPlugin
Branches: master
This task may be used to fix any extension that provides a REST service but still does not fully specify its security requirements
while registering the service to the core.
See also
Item12839 and
Development.AllowGuestsToUseRESTAsDefault
Please extend the list of affected extesnions in the form below:
CaptchaPlugin,
ClassificationPlugin,
HarvestPlugin,
ImagePlugin,
JQGridPlugin,
NewUserPlugin,
PageOptimizerPlugin,
PiwikPlugin,
RenderPlugin,
TopicInteractionPlugin,
TrashPlugin,
UpdateAttachmentsPlugin
--
MichaelDaum - 28 Aug 2014
Unfortunately these changes will result in REST handlers of these plugins not being usable on the commandline in Foswiki-1.1.9. Below patch backports relevant fixes from trunk
diff --git a/lib/Foswiki/UI/Rest.pm b/lib/Foswiki/UI/Rest.pm
index f24e7bf..5c2b777 100644
--- a/lib/Foswiki/UI/Rest.pm
+++ b/lib/Foswiki/UI/Rest.pm
@@ -190,6 +190,7 @@ sub rest {
# Check the method is allowed
if ( $record->{http_allow} && defined $req->method() ) {
+ unless ( $session->inContext('command_line') ) {
my %allowed = map { $_ => 1 } split( /[,\s]+/, $record->{http_allow} );
unless ( $allowed{ uc( $req->method() ) } ) {
$res->header( -type => 'text/html', -status => '405' );
@@ -198,12 +199,14 @@ sub rest {
$res->print($err);
throw Foswiki::EngineException( 404, $err, $res );
}
+ }
}
# Check someone is logged in
if ( $record->{authenticate} ) {
unless ( $session->inContext('authenticated')
- || $Foswiki::cfg{LoginManager} eq 'none' )
+ || $Foswiki::cfg{LoginManager} eq 'none'
+ || $session->inContext('command_line') )
{
$res->header( -type => 'text/html', -status => '401' );
$err = "ERROR: (401) $pathInfo requires you to be logged in";
@@ -213,7 +216,11 @@ sub rest {
}
# Validate the request
- if ( $record->{validate} ) {
+ if ( $record->{validate}
+ && $Foswiki::cfg{Validation}{Method} ne 'none'
+ && !$session->inContext('command_line') )
+ {
+
my $nonce = $req->param('validation_key');
if (
!defined($nonce)
--
MichaelDaum - 05 Dec 2014