Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
None
Description
When the RequireAuthentication setting is set to disabled, eZ will always use a fixed user account for rest calls.
Since this is rest, we're supposed not to use sessions at all.
But the current code will try to create a session anyway: in ezpRestAuthConfiguration::filter(), if the auth filter returns a user account, the setCurrentlyLoggedInUser() function is called, which creates a session.
A small fix could be to avoid the call to setCurrentlyLoggedInUser if the user id of the user account corresponds to the user id of the current account - that would be the case when eg RequireAuthentication has been set to disabled and the default user to be used for rest calls is the anon user