REST GET / endpoint not working
dregad opened this issue · 4 comments
Following the merge of #66, I tried to use the new endpoints and noticed that GET / is not working (this is right after successfully creating both a global and a personal Snippet, using the POST / endpoint).
-
With
global=1I get HTTP 200 but it's actually a Mantis Access Denied error pageGET http://localhost/mantis/api/rest/plugins/Snippets/?global=1 HTTP/1.1 200 OK Date: Sun, 10 Sep 2023 10:09:36 GMT Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 PHP/8.1.22 X-Powered-By: PHP/8.1.22 Cache-Control: private, max-age=10800 Last-Modified: Sun, 10 Sep 2023 10:02:40 GMT Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 184 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <p class="center">Access Denied.</p><p class="center"><a class="btn btn-primary btn-white btn-round " href="login_page.php?return=%2Fmantis%2Fapi%2Frest%2Findex.php%3Fglobal%3D1">Login</a> </p><p class="center"><a class="btn btn-primary btn-white btn-round " href="/mantis/my_view_page.php">Proceed</a></p> -
With
global=0I get HTTP 200 and an empty list, but there should be one Snippet; notice the X-Mantis-Username: anonymous header, which should actually be the administrator account owning the API Token I used for Authorization.GET http://localhost/mantis/api/rest/plugins/Snippets/?global=0 HTTP/1.1 200 OK Date: Sun, 10 Sep 2023 10:07:25 GMT Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 PHP/8.1.22 X-Powered-By: PHP/8.1.22 Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Last-Modified: Sun, 10 Sep 2023 10:02:40 GMT X-Mantis-Username: anonymous X-Mantis-LoginMethod: cookie X-Mantis-Version: 2.26.0-dev Content-Length: 15 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json { "snippets": [] }
- I fixed the access html / 2xx in case of access check error. I'll open an issue for making sure methods like ensure* and access_denied() are REST API friendly.
- I am not able to reproduce the second issue with anonymous. Authentication is handled by core, make sure API key is passed in your call.
See PR #69
I have also seen some local servers redirect http to https and lose authentication headers in the process.
Thanks for the fix. I confirm that with #69 merged,
With global=1 I get HTTP 200 but it's actually a Mantis Access Denied error page
is fixed
With global=0 I get HTTP 200 and an empty list, but there should be one Snippet
is working fine on this computer (Windows 10 with ubuntu running on WSL) but it's not the same one I used when I got the issue last week, so I'll double-check on the other box (MacOS) later to make sure.