opendev/gerrit
Code Issues Proposed changes

Merge changes I11562ab1,Id0671530,I51265bdd

Browse Source 
* changes:
  Allow additional cookies during xd requests
  Always setLastLoginExternalIdKey for IdentifiedUsers
  Remove duplicate Vary: Access-Control-Request header
This commit is contained in:
Shawn Pearce
2017-08-09 20:08:29 +00:00
committed by Gerrit Code Review
parent 69a4e51ad6 1b5b6ab3c8
commit a69b536264
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/change/CorsIT.java
View File

@@ -212,6 +212,11 @@ public class CorsIT extends AbstractDaemonTest {
Header allowOrigin = r.getFirstHeader(ACCESS_CONTROL_ALLOW_ORIGIN);
assertThat(allowOrigin).named(ACCESS_CONTROL_ALLOW_ORIGIN).isNotNull();
assertThat(allowOrigin.getValue()).named(ACCESS_CONTROL_ALLOW_ORIGIN).isEqualTo(origin);
Header allowAuth = r.getFirstHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS);
assertThat(allowAuth).named(ACCESS_CONTROL_ALLOW_CREDENTIALS).isNotNull();
assertThat(allowAuth.getValue()).named(ACCESS_CONTROL_ALLOW_CREDENTIALS).isEqualTo("true");
checkTopic(change, "test-xd");
}

6
gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
View File

@@ -554,6 +554,7 @@ public class RestApiServlet extends HttpServlet {
}
res.addHeader(VARY, ORIGIN);
res.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
res.setHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
} else if (!Strings.isNullOrEmpty(origin)) {
// All other requests must be processed, but conditionally set CORS headers.
if (globals.allowOrigin != null) {
@@ -591,7 +592,6 @@ public class RestApiServlet extends HttpServlet {
String headers = req.getHeader(ACCESS_CONTROL_REQUEST_HEADERS);
if (headers != null) {
res.addHeader(VARY, ACCESS_CONTROL_REQUEST_HEADERS);
for (String reqHdr : Splitter.on(',').trimResults().split(headers)) {
if (!ALLOWED_CORS_REQUEST_HEADERS.contains(reqHdr.toLowerCase(Locale.US))) {
throw new BadRequestException(reqHdr + " not allowed in CORS");
@@ -1148,7 +1148,6 @@ public class RestApiServlet extends HttpServlet {
CurrentUser user = globals.currentUser.get();
if (isRead(req)) {
user.setAccessPath(AccessPath.REST_API);
user.setLastLoginExternalIdKey(globals.webSession.get().getLastLoginExternalId());
} else if (user instanceof AnonymousUser) {
throw new AuthException("Authentication required");
} else if (!globals.webSession.get().isAccessPathOk(AccessPath.REST_API)) {
@@ -1156,6 +1155,9 @@ public class RestApiServlet extends HttpServlet {
"Invalid authentication method. In order to authenticate, "
+ "prefix the REST endpoint URL with /a/ (e.g. http://example.com/a/projects/).");
}
if (user.isIdentifiedUser()) {
user.setLastLoginExternalIdKey(globals.webSession.get().getLastLoginExternalId());
}
}
private static boolean isRead(HttpServletRequest req) {