Always setLastLoginExternalIdKey for IdentifiedUsers
Anonymous users have no login external id key, so it makes no sense to set it for them in the read path. The two callers for this property are GetExternalIds and DeleteExternalIds. The latter is not a read method and should expect to have the current value to prevent the user from deleting their current external id. Change-Id: Id0671530fe649e6b0fcfd489fc384e37a2fd02e2
This commit is contained in:
Shawn Pearce
@@ -1147,7 +1147,6 @@ public class RestApiServlet extends HttpServlet {
|
|||||||
CurrentUser user = globals.currentUser.get();
|
CurrentUser user = globals.currentUser.get();
|
||||||
if (isRead(req)) {
|
if (isRead(req)) {
|
||||||
user.setAccessPath(AccessPath.REST_API);
|
user.setAccessPath(AccessPath.REST_API);
|
||||||
user.setLastLoginExternalIdKey(globals.webSession.get().getLastLoginExternalId());
|
|
||||||
} else if (user instanceof AnonymousUser) {
|
} else if (user instanceof AnonymousUser) {
|
||||||
throw new AuthException("Authentication required");
|
throw new AuthException("Authentication required");
|
||||||
} else if (!globals.webSession.get().isAccessPathOk(AccessPath.REST_API)) {
|
} else if (!globals.webSession.get().isAccessPathOk(AccessPath.REST_API)) {
|
||||||
@@ -1155,6 +1154,9 @@ public class RestApiServlet extends HttpServlet {
|
|||||||
"Invalid authentication method. In order to authenticate, "
|
"Invalid authentication method. In order to authenticate, "
|
||||||
+ "prefix the REST endpoint URL with /a/ (e.g. http://example.com/a/projects/).");
|
+ "prefix the REST endpoint URL with /a/ (e.g. http://example.com/a/projects/).");
|
||||||
}
|
}
|
||||||
|
if (user.isIdentifiedUser()) {
|
||||||
|
user.setLastLoginExternalIdKey(globals.webSession.get().getLastLoginExternalId());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static boolean isRead(HttpServletRequest req) {
|
private static boolean isRead(HttpServletRequest req) {
|
||||||
|
|||||||
Reference in New Issue
Block a user