Bug 456261 - RFE: add API to verify cookie validity over XML-RPC
RFE: add API to verify cookie validity over XML-RPC
Status: CLOSED NEXTRELEASE
Product: Bugzilla
Classification: Community
Component: WebService (Show other bugs)
3.2
All Linux
low Severity low (vote)
: ---
: ---
Assigned To: Noura El hawary
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-22 10:59 EDT by Tomas Hoger
Modified: 2013-06-24 00:08 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-29 11:02:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
v1 for new xmlrpc function User.valid_cookie (1.39 KB, patch)
2008-07-22 23:06 EDT, Noura El hawary
dkl: review+
Details | Diff

  None (edit)
Description Tomas Hoger 2008-07-22 10:59:23 EDT
Description of problem:
Bugzilla XML-RPC interface should provide a method to verify if some cookie is
still valid for some bugzilla user.  The motivation is that user may log in
using User.login() and store authentication cookie in the cookie file an re-use
it in subsequent run of various scripts using XML-RPC.  Currently, there does
not seem to be an easy way to verify if cookie is still valid (possible
workaround is to verify if user names or email addresses are returned in query
results), and whether cookie is for specific user.

I used to (ab)use User.login without any argument to get (part of) that
information, which returned non-0 user id if cookie was still valid, or 0
otherwise.  However, that is no longer possible after following upstream change
was deployed on parter-bugzilla:

  https://bugzilla.mozilla.org/show_bug.cgi?id=445885

Possible API:
User.isValidCookie($bugzilla_login), possibly with $bugzilla_login being
optional, giving answer to a question whether cookie is valid for session of any
/ specified user.

Version-Release number of selected component (if applicable):
partner-bugzilla instance as of 2008-07-22
Comment 1 David Lawrence 2008-07-22 11:15:05 EDT
Noura, with the latest change upstream that was requested and I applied the
patch, User.login() now requires that login/password be defined or else it
throws an user error. It is not likely that this patch will be reverted as I am
sure upstream will not deem this critical. So could you implement a method that
will silently call Bugzilla->login() and will return 1/0 if the user is
authenticated or not. The param { login => $email } could be required just as
some extra validation against any kind of spoofing attack.
I recommend we keep the method name short such as User.validCookie or
User.validLogin, doesn't matter.

So basically it would be

package Bugzilla::WebService::User;

sub validCookie {
    my ($self, $params) = @_;
    Bugzilla->login();
    if (Bugzilla->user->id && Bugzilla->user->login eq $params->{login}) {
        return 1;
    }
    else {
        return 0;
    }
}

What do you think?

Dave
Comment 2 Noura El hawary 2008-07-22 23:06:16 EDT
Created attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Hi Dave,

Based on your suggestion, I created the attached patch with the function, I
think it a good idea. 

Thanks,
Noura
Comment 3 David Lawrence 2008-07-22 23:18:23 EDT
Comment on attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Please add:

defined $params->{login}
    || ThrowCodeError('param_required', { param => 'login' });

before Bugzilla->login() and update the docs. Looks good so go ahead and
checkin after.

Dave
Comment 4 Noura El hawary 2008-07-22 23:52:33 EDT
Thanks for the review Dave, Patch is committed now with your suggestions.

Noura
Comment 5 Tomas Hoger 2008-07-29 06:24:00 EDT
Thanks!  Seems to work fine.

Note You need to log in before you can comment on or make changes to this bug.