Mercurial > p > roundup > code

changeset 8175:bd628e64725f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Documentation and fix for REST headers issue2551372 - Better document necessary headers for REST and fix logging to log missing Origin header.
author Ralf Schlatterbeck <rsc@runtux.com>
date Wed, 04 Dec 2024 10:45:26 +0100
parents 5ea419c1d571
children 736f769b48c8
files CHANGES.txt doc/rest.txt roundup/cgi/client.py
diffstat 3 files changed, 13 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Tue Dec 03 10:53:32 2024 -0500
+++ b/CHANGES.txt	Wed Dec 04 10:45:26 2024 +0100
@@ -30,6 +30,9 @@
   to a red error msg. (Report by Ludwig Reiter; fix John Rouillard)
 - issue2550698 - added documentation on filtering using RPN property
   expressions. (John Rouillard)
+- issue2551372 - Better document necessary headers for REST and fix
+  logging to log missing Origin header (Ralf Schlatterbeck with
+  suggestions on documentation by John Rouillard)
 
 Features:
 
--- a/doc/rest.txt	Tue Dec 03 10:53:32 2024 -0500
+++ b/doc/rest.txt	Wed Dec 04 10:45:26 2024 +0100
@@ -68,7 +68,7 @@
 Preventing CSRF Attacks
 -----------------------
 
-Clients should set the header X-REQUESTED-WITH to any value and the
+Clients should set the header ``X-REQUESTED-WITH`` to any value and the
 tracker's config.ini should have ``csrf_enforce_header_x-requested-with
 = yes`` or ``required``.
 
@@ -77,6 +77,12 @@
 the origin using the ``allowed_api_origins`` setting in
 ``config.ini``.
 
+If you access the REST interface with a method other than ``GET``, you
+must also supply an origin header with a value that is either the
+default origin (the URL of the tracker without the path component set in
+the config file as ``web`` in section ``[tracker]``) or one that is
+permitted by ``allowed_api_origins``.
+
 Rate Limiting API Failed Logins
 -------------------------------
 
--- a/roundup/cgi/client.py	Tue Dec 03 10:53:32 2024 -0500
+++ b/roundup/cgi/client.py	Wed Dec 04 10:45:26 2024 +0100
@@ -719,8 +719,10 @@
         if not self.is_origin_header_ok(api=True):
             if 'HTTP_ORIGIN' not in self.env:
                 msg = self._("Required Header Missing")
+                err = 'Origin header missing'
             else:
                 msg = self._("Client is not allowed to use Rest Interface.")
+                err = 'Unauthorized for REST request'
 
             # Use code 400. Codes 401 and 403 imply that authentication
             # is needed or authenticated person is not authorized.
@@ -730,6 +732,7 @@
             self.reject_request(output,
                                 message_type="application/json",
                                 status=400)
+            logger.error(err)
             return
 
         # Handle CORS preflight request. We know rest is enabled
Roundup Issue Tracker: http://roundup-tracker.org/