Opened 15 years ago
Closed 15 years ago
#459 closed defect (fixed)
build slaves now require WIKI_VIEW permissions
| Reported by: | wbell | Owned by: | osimons |
|---|---|---|---|
| Priority: | minor | Milestone: | 0.6 |
| Component: | General | Version: | 0.6b2 |
| Keywords: | Cc: | ||
| Operating System: | BSD |
Description
One of the side-effects of the token changes on the slave is that slaves now require WIKI_VIEW permissions to access /login. We should either remove this requirement or update the documentation to reflect this.
Attachments (1)
Change History (9)
comment:1 Changed 15 years ago by rblank
comment:2 follow-up: ↓ 4 Changed 15 years ago by osimons
Heh. I was going to suggest that - and also explain why it won't work as a GET for /builds will instead return a 405 Method not allowed... If so, we'd need to strap on some other argument or attach something to the session that allowes us to just return an emtpy response and be done. Perhaps we can check the referrer and see it if we are redirected from login? Would need to look at the details to see what the incoming request actually contains.
I'd still prefer that Trac supported a no-nonsense HEAD request to /login that did not redirect (trac:ticket:8598) but I suppose that is not realistic at this stage.
comment:3 Changed 15 years ago by osimons
- Milestone changed from 0.6.1 to 0.6
Need to tweak this before 0.6 final.
comment:4 in reply to: ↑ 2 ; follow-up: ↓ 5 Changed 15 years ago by rblank
Replying to osimons:
Heh. I was going to suggest that - and also explain why it won't work as a GET for /builds will instead return a 405 Method not allowed...
How about allowing GET for /builds and returning an empty document?
comment:5 in reply to: ↑ 4 Changed 15 years ago by osimons
- Owner set to osimons
Replying to rblank:
How about allowing GET for /builds and returning an empty document?
Yeah. I'm fresh out of other and better options, so attachment:459-login_redirect-r780.diff implements this suggestion. Works well for regular authentication.
It needs testing with form authentication - not sure how that works or how it handles redirects, as I've never looked at acct_mgr.
comment:6 follow-up: ↓ 7 Changed 15 years ago by rblank
You should probably URL-escape the referer= argument.
comment:7 in reply to: ↑ 6 Changed 15 years ago by osimons
Replying to rblank:
You should probably URL-escape the referer= argument.
Yup. Good call. Changed patch like this:
-
bitten/slave.py
a b 192 192 try: 193 193 try: 194 194 if self.username and not self.auth_map.get(url): 195 login_url = '%s/login?referer=%s' % (url[:-7], url) 195 login_url = '%s/login?referer=%s' % (url[:-7], 196 urllib.quote_plus(url)) 196 197 # First request to url, authentication needed 197 198 if self.form_auth: 198 199 log.debug('Performing http form authentication')
Testing with acct_mgr remains.
comment:8 Changed 15 years ago by osimons
- Resolution set to fixed
- Status changed from new to closed
Committed in [793]. Acct_mgr is still untested by me, so if anyone spots issues with this then please reopen ticket.
You could use the ?referer= query argument with the /login URL to redirect to another page than Wiki Start, like so:
Note that the URL specified in the referer= argument must be absolute and point to the same Trac instance as the login page. Relative URLs would actually be a good idea, too, so we should probably fix this in Trac.