Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 456261 - RFE: add API to verify cookie validity over XML-RPC
Summary: RFE: add API to verify cookie validity over XML-RPC
Alias: None
Product: Bugzilla
Classification: Community
Component: WebService
Version: 3.2
Hardware: All
OS: Linux
low vote
Target Milestone: ---
Assignee: Noura El hawary
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-22 14:59 UTC by Tomas Hoger
Modified: 2013-06-24 04:08 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-29 15:02:54 UTC

Attachments (Terms of Use)
v1 for new xmlrpc function User.valid_cookie (deleted)
2008-07-23 03:06 UTC, Noura El hawary
dkl: review+
Details | Diff

Description Tomas Hoger 2008-07-22 14:59:23 UTC
Description of problem:
Bugzilla XML-RPC interface should provide a method to verify if some cookie is
still valid for some bugzilla user.  The motivation is that user may log in
using User.login() and store authentication cookie in the cookie file an re-use
it in subsequent run of various scripts using XML-RPC.  Currently, there does
not seem to be an easy way to verify if cookie is still valid (possible
workaround is to verify if user names or email addresses are returned in query
results), and whether cookie is for specific user.

I used to (ab)use User.login without any argument to get (part of) that
information, which returned non-0 user id if cookie was still valid, or 0
otherwise.  However, that is no longer possible after following upstream change
was deployed on parter-bugzilla:

Possible API:
User.isValidCookie($bugzilla_login), possibly with $bugzilla_login being
optional, giving answer to a question whether cookie is valid for session of any
/ specified user.

Version-Release number of selected component (if applicable):
partner-bugzilla instance as of 2008-07-22

Comment 1 David Lawrence 2008-07-22 15:15:05 UTC
Noura, with the latest change upstream that was requested and I applied the
patch, User.login() now requires that login/password be defined or else it
throws an user error. It is not likely that this patch will be reverted as I am
sure upstream will not deem this critical. So could you implement a method that
will silently call Bugzilla->login() and will return 1/0 if the user is
authenticated or not. The param { login => $email } could be required just as
some extra validation against any kind of spoofing attack.
I recommend we keep the method name short such as User.validCookie or
User.validLogin, doesn't matter.

So basically it would be

package Bugzilla::WebService::User;

sub validCookie {
    my ($self, $params) = @_;
    if (Bugzilla->user->id && Bugzilla->user->login eq $params->{login}) {
        return 1;
    else {
        return 0;

What do you think?


Comment 2 Noura El hawary 2008-07-23 03:06:16 UTC
Created attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Hi Dave,

Based on your suggestion, I created the attached patch with the function, I
think it a good idea. 


Comment 3 David Lawrence 2008-07-23 03:18:23 UTC
Comment on attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Please add:

defined $params->{login}
    || ThrowCodeError('param_required', { param => 'login' });

before Bugzilla->login() and update the docs. Looks good so go ahead and
checkin after.


Comment 4 Noura El hawary 2008-07-23 03:52:33 UTC
Thanks for the review Dave, Patch is committed now with your suggestions.


Comment 5 Tomas Hoger 2008-07-29 10:24:00 UTC
Thanks!  Seems to work fine.

Note You need to log in before you can comment on or make changes to this bug.