Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
When module services_basic_auth is used with Rest Server (https://www.drupal.org/project/rest_server) it fails to secure an endpoint configured to require HTTP basic authentication.
Requesting resource from this endpoint returns 200 OK instead of 401 Unauthorized
Comment | File | Size | Author |
---|---|---|---|
#2 | services_basic_auth-no-credentials-supplied-20160526.patch | 1.03 KB | klaatuveratanecto |
02.jpg | 134.66 KB | klaatuveratanecto | |
01.jpg | 93.42 KB | klaatuveratanecto |
Comments
Comment #2
klaatuveratanecto CreditAttribution: klaatuveratanecto as a volunteer commentedI have created a patch that fixes it.
Comment #3
vblanco7 CreditAttribution: vblanco7 as a volunteer and commentedIt's Work!! Thank you so much!! :)
Comment #4
f0ns CreditAttribution: f0ns commentedMy user/register functionality stopped working after this patch, I'll look into this tomorrow.
I get the following now when user/register is called: (Unauthorized : No credentials were supplied in the request.)
My call from an AngularJS app is the following:
Comment #5
markpavlitski CreditAttribution: markpavlitski at Investis Digital commented@klaatuveratanecto - this happens by design.
This module only provides authentication on behalf of services module, it does not deal with request authorization. It will not block requests, that is up to services and Drupal's permission system.
If an anonymous user has permission to access the data displayed in the endpoint, then the request will succeed even if the request is un-authenticated.
Furthermore, services allows more than one authentication mechanism to be used and they are tried in sequence, implementing the patch provided would break that behaviour.
Comment #6
markpavlitski CreditAttribution: markpavlitski at Investis Digital commented