Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21278

[Rest API] Get current version with anonymous user spec don't correspond to behaviour

    Details

      Description

      With an anonymous user when attempt to get the

      Resource: /content/objects/<ID>/currentversion
      

      it will throw an 401 Not Authorized

      "errorCode": 401,
      "errorMessage": "Unauthorized",
      "errorDescription": "User does not have access to 'versionread' 'content'",
      

      @see https://github.com/ezsystems/ezpublish-kernel/blob/master/doc/specifications/rest/REST-API-V2.rst#1324managing-versions

      How to reproduce:

          Scenario:Get content current version of a published content
              Given I am logged as anonymous user
               And I have content of type "folder"
               And I have value "Test folder" in field "name"
               And I have content in "Publish" state
              When I load "Test folder" current version
              Then I see no errors
               And I see a content version of type "Published"
               And I see value "Test folder" in field "name"
               And I see value "1" in field "version number"
      

      Notice: that to test with anonymous user in REST (basic auth) need to actually create an anonymous user

        Activity

        Hide
        Bertrand Dunogier added a comment -

        The issue does not affect earlier versions at all ?

        Show
        Bertrand Dunogier added a comment - The issue does not affect earlier versions at all ?
        Hide
        Petar Spanja (Inactive) added a comment -

        It should affect all previous versions. Do we need a backport?

        Show
        Petar Spanja (Inactive) added a comment - It should affect all previous versions. Do we need a backport?
        Show
        Petar Spanja (Inactive) added a comment - Fixed in ezpublish-kernel/master: https://github.com/ezsystems/ezpublish-kernel/commit/4051143e175f4eb360ecec35694b571c5d02f9c2
        Hide
        Petar Spanja (Inactive) added a comment -

        @Marcos Loureiro

        I'm unable to reproduce this, for me it works as expected:

        www-data@wyoh: ~/rest-scripts/xml/content [master] $ ./08-loadContentCurrentVersion.sh
        GET /api/ezp/v2/content/objects/58/currentversion HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate, compress
        Host: ezpublish5.local
        User-Agent: HTTPie/0.3.0
         
         
         
        HTTP/1.1 307 Temporary Redirect
        Cache-Control: no-cache
        Content-Encoding: gzip
        Content-Type: text/html; charset=UTF-8
        Date: Wed, 25 Sep 2013 10:24:56 GMT
        Location: /api/ezp/v2/content/objects/58/versions/1
        Server: Apache/2.2.22 (Ubuntu)
        Set-Cookie: eZSESSID=v2nou793j3j3nvvad68sq5ke13; path=/
        Status: 307 Temporary Redirect
        Transfer-Encoding: chunked
        Vary: Accept-Encoding
        X-Debug-Token: c088a3
        X-Powered-By: PHP/5.4.12-1~ppa1~precise

        Show
        Petar Spanja (Inactive) added a comment - @ Marcos Loureiro I'm unable to reproduce this, for me it works as expected: www-data@wyoh: ~/rest-scripts/xml/content [master] $ ./08-loadContentCurrentVersion.sh GET /api/ezp/v2/content/objects/58/currentversion HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate, compress Host: ezpublish5.local User-Agent: HTTPie/0.3.0       HTTP/1.1 307 Temporary Redirect Cache-Control: no-cache Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Wed, 25 Sep 2013 10:24:56 GMT Location: /api/ezp/v2/content/objects/58/versions/1 Server: Apache/2.2.22 (Ubuntu) Set-Cookie: eZSESSID=v2nou793j3j3nvvad68sq5ke13; path=/ Status: 307 Temporary Redirect Transfer-Encoding: chunked Vary: Accept-Encoding X-Debug-Token: c088a3 X-Powered-By: PHP/5.4.12-1~ppa1~precise
        Hide
        Marcos Loureiro (Inactive) added a comment -

        Is it possible to post that script into a Gist (or similar)?

        For the test I'm using FireFox RESTClient where I actually got to send authorization or else I get a 401.
        so I needed to create an anonymous user and "log" with it.

        Show
        Marcos Loureiro (Inactive) added a comment - Is it possible to post that script into a Gist (or similar)? For the test I'm using FireFox RESTClient where I actually got to send authorization or else I get a 401. so I needed to create an anonymous user and "log" with it.
        Hide
        Petar Spanja (Inactive) added a comment -

        @Marcos Loureiro

        This is already available at https://github.com/emodric/ezpRestScripts.
        I just modify the scripts as needed by the case in hand.

        Maybe you just needed to disable basic auth?

        Show
        Petar Spanja (Inactive) added a comment - @ Marcos Loureiro This is already available at https://github.com/emodric/ezpRestScripts . I just modify the scripts as needed by the case in hand. Maybe you just needed to disable basic auth?
        Hide
        Joao Pingo (Inactive) added a comment -

        @Petar
        The issue is in FireFox RESTClient, since it tries to followed the redirect and so anonymous user will try to load a version (which it does not have authorization)
        Tested using curl

        curl -u "anonymous:123" -i -X GET  http://ezp5.dev.vagrant/api/ezp/v2/content/objects/58/currentversion

        The response is a 307 Redirect which is correct

        QA Approved

        Show
        Joao Pingo (Inactive) added a comment - @Petar The issue is in FireFox RESTClient, since it tries to followed the redirect and so anonymous user will try to load a version (which it does not have authorization) Tested using curl curl -u "anonymous:123" -i -X GET http://ezp5.dev.vagrant/api/ezp/v2/content/objects/58/currentversion The response is a 307 Redirect which is correct QA Approved
        Show
        Petar Spanja (Inactive) added a comment - Additional fix: https://github.com/ezsystems/ezpublish-kernel/pull/530 Merged in: https://github.com/ezsystems/ezpublish-kernel/commit/1512096cc0a9c184d4314981eef5dd156eb5f78a

          People

          • Assignee:
            Unassigned
            Reporter:
            Marcos Loureiro (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Time Spent - 5 hours, 10 minutes Remaining Estimate - 15 minutes
              15m
              Logged:
              Time Spent - 5 hours, 10 minutes Remaining Estimate - 15 minutes
              5h 10m