changelog and tests for issue #328

maxtepkeev · Mar 3, 2024 · 79ef42b · 79ef42b
1 parent c656cd9
commit 79ef42b
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -28,6 +28,12 @@ Changelog
 
 **Changes**:
 
+- *Backwards Incompatible:* API key is now being sent in the X-Redmine-API-Key header instead of the key GET
+  parameter which makes things more secure in case of a failed connection, but it might created issues for servers
+  that don't do custom request header forwarding by default, so be sure to check your web server before upgrading
+  (`Issue #328 <https://github.com/maxtepkeev/python-redmine/issues/328>`__ and
+  `Issue #330 <https://github.com/maxtepkeev/python-redmine/issues/330>`__) (thanks to `Tom Misilo <https://github.com/misilot>`__
+  and `Ricardo Branco <https://github.com/ricardobranco777>`__)
 - *Backwards Incompatible:* User ``all`` operation now really returns all users, i.e. not only active, but locked,
   registered and anonymous as well instead of only returning just active users in previous versions due to the
   respect to Redmine's standard behaviour (`Issue #327 <https://github.com/maxtepkeev/python-redmine/issues/327>`__)

diff --git a/tests/test_engines.py b/tests/test_engines.py
@@ -8,7 +8,7 @@
 class BaseEngineTestCase(BaseRedmineTestCase):
     def test_engine_init(self):
         redmine = Redmine(self.url, key='123', impersonate='jsmith', requests={'foo': 'bar'})
-        self.assertEqual(redmine.engine.requests['params']['key'], '123')
+        self.assertEqual(redmine.engine.requests['headers']['X-Redmine-API-Key'], '123')
         self.assertEqual(redmine.engine.requests['headers']['X-Redmine-Switch-User'], 'jsmith')
         self.assertEqual(redmine.engine.requests['foo'], 'bar')
         redmine = Redmine(self.url, username='john', password='qwerty')

diff --git a/tests/test_redmine.py b/tests/test_redmine.py
@@ -41,8 +41,8 @@ def test_session_impersonate(self):
 
     def test_session_key(self):
         with self.redmine.session(key='opa'):
-            self.assertEqual(self.redmine.engine.requests['params']['key'], 'opa')
-        self.assertRaises(KeyError, lambda: self.redmine.engine.requests['params']['key'])
+            self.assertEqual(self.redmine.engine.requests['headers']['X-Redmine-API-Key'], 'opa')
+        self.assertRaises(KeyError, lambda: self.redmine.engine.requests['headers']['X-Redmine-API-Key'])
 
     def test_session_username_password(self):
         with self.redmine.session(username='john', password='smith'):
@@ -53,7 +53,8 @@ def test_session_requests(self):
         self.redmine.engine.requests['cert'] = ('bar', 'baz')
         requests = {'verify': False, 'timeout': 2, 'cert': ('foo', 'bar'), 'params': {'foo': 'bar'}}
         with self.redmine.session(key='secret', requests=requests):
-            self.assertEqual(self.redmine.engine.requests['params'], dict(key='secret', **requests['params']))
+            self.assertEqual(self.redmine.engine.requests['headers'], {'X-Redmine-API-Key': 'secret'})
+            self.assertEqual(self.redmine.engine.requests['params'], requests['params'])
             self.assertEqual(self.redmine.engine.requests['verify'], requests['verify'])
             self.assertEqual(self.redmine.engine.requests['timeout'], requests['timeout'])
             self.assertEqual(self.redmine.engine.requests['cert'], requests['cert'])