FIX: Don't redirect XHR/JSON requests when login is required (#15093)

When redirecting to login, we store a destination_url cookie, which the user is then redirected to after login. We never want the user to be redirected to a JSON URL. Instead, we should return a 403 in these situations. This should also be much less confusing for API consumers - a 403 is a better representation than a 302.
2025-05-31 01:17:16 +08:00 · 2021-12-02 15:12:25 +00:00
parent 55cbc70f3f
commit cfb6199a95
4 changed files with 46 additions and 11 deletions
--- a/spec/integration/api_keys_spec.rb
+++ b/spec/integration/api_keys_spec.rb
@ -45,7 +45,7 @@ describe 'api keys' do

    # Confirm not allowed for json
    get "/latest.json?api_key=#{api_key.key}&api_username=#{user.username.downcase}"
-    expect(response.status).to eq(302)
+    expect(response.status).to eq(403)
  end

  context "with a plugin registered filter" do
@ -96,7 +96,7 @@ describe 'user api keys' do

    # Confirm not allowed for json
    get "/latest.json?user_api_key=#{user_api_key.key}"
-    expect(response.status).to eq(302)
+    expect(response.status).to eq(403)
  end

  it "can restrict scopes by parameters" do