Edgewall Software
Modify

Opened 12 years ago

Closed 12 years ago

#459 closed defect (fixed)

build slaves now require WIKI_VIEW permissions

Reported by: wbell Owned by: osimons
Priority: minor Milestone: 0.6
Component: General Version: 0.6b2
Keywords: Cc:
Operating System: BSD

Description

One of the side-effects of the token changes on the slave is that slaves now require WIKI_VIEW permissions to access /login. We should either remove this requirement or update the documentation to reflect this.

Attachments (1)

459-login_redirect-r780.diff (2.7 KB) - added by osimons 12 years ago.
Doing login with explicit redirect.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 12 years ago by rblank

You could use the ?referer= query argument with the /login URL to redirect to another page than Wiki Start, like so:

http://trac.example.com/login?referer=http://trac.example.com/builds

Note that the URL specified in the referer= argument must be absolute and point to the same Trac instance as the login page. Relative URLs would actually be a good idea, too, so we should probably fix this in Trac.

comment:2 follow-up: Changed 12 years ago by osimons

Heh. I was going to suggest that - and also explain why it won't work as a GET for /builds will instead return a 405 Method not allowed... If so, we'd need to strap on some other argument or attach something to the session that allowes us to just return an emtpy response and be done. Perhaps we can check the referrer and see it if we are redirected from login? Would need to look at the details to see what the incoming request actually contains.

I'd still prefer that Trac supported a no-nonsense HEAD request to /login that did not redirect (trac:ticket:8598) but I suppose that is not realistic at this stage.

comment:3 Changed 12 years ago by osimons

  • Milestone changed from 0.6.1 to 0.6

Need to tweak this before 0.6 final.

comment:4 in reply to: ↑ 2 ; follow-up: Changed 12 years ago by rblank

Replying to osimons:

Heh. I was going to suggest that - and also explain why it won't work as a GET for /builds will instead return a 405 Method not allowed...

How about allowing GET for /builds and returning an empty document?

Changed 12 years ago by osimons

Doing login with explicit redirect.

comment:5 in reply to: ↑ 4 Changed 12 years ago by osimons

  • Owner set to osimons

Replying to rblank:

How about allowing GET for /builds and returning an empty document?

Yeah. I'm fresh out of other and better options, so attachment:459-login_redirect-r780.diff implements this suggestion. Works well for regular authentication.

It needs testing with form authentication - not sure how that works or how it handles redirects, as I've never looked at acct_mgr.

comment:6 follow-up: Changed 12 years ago by rblank

You should probably URL-escape the referer= argument.

comment:7 in reply to: ↑ 6 Changed 12 years ago by osimons

Replying to rblank:

You should probably URL-escape the referer= argument.

Yup. Good call. Changed patch like this:

  • bitten/slave.py

    a b  
    192192            try:
    193193                try:
    194194                    if self.username and not self.auth_map.get(url):
    195                         login_url = '%s/login?referer=%s' % (url[:-7], url)
     195                        login_url = '%s/login?referer=%s' % (url[:-7],
     196                                                        urllib.quote_plus(url))
    196197                        # First request to url, authentication needed
    197198                        if self.form_auth:
    198199                            log.debug('Performing http form authentication')

Testing with acct_mgr remains.

comment:8 Changed 12 years ago by osimons

  • Resolution set to fixed
  • Status changed from new to closed

Committed in [793]. Acct_mgr is still untested by me, so if anyone spots issues with this then please reopen ticket.

Add Comment

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain osimons.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.