To unify the communication, here are two emails from roundup-devel:


----------Original Message----------
From: anatoly techtonik <techtonik@gmail.com>
Sent: Monday 14 April 2014, 17:02:08
To: Anthony Pankov <ant_mail@inbox.ru>
Subject: Re: [Roundup-devel] patch for more flexible web auth

Hi Anthony,

On Mon, Apr 14, 2014 at 10:37 AM, Anthony Pankov <ant_mail@inbox.ru> 
wrote:
>
> Some     days     ago    i    created    roundup-tracker    issue    (
> http://issues.roundup-tracker.org/issue2550837 ) but have no reply.
>
> Can somebody   audit  and  apply the  patch  to
> roundup-tracker source tree?

REMOTE_USER is not default standard of authentication in web
applications. For example, Django doesn't use it by default and
in Django backend for it I don't see a way to customize the name
of variable used to fetch it:
https://docs.djangoproject.com/en/dev/howto/auth-remote-user/

You have a very specific use case that is needed to less that 1%
of Roundup installations, and I don't like the idea or using another
global configuration option, because all other 99% will have to read
through it and waste time on guessing what does this option mean.


I'd propose instead to add chapter named "Authentication"
to admin guide, probably renaming this one:
http://roundup.sourceforge.net/docs/admin_guide.html#users-and-security
and document the current way of writing authentication extensions.

Your scenario is a good candidate to be included as a basic
example. An alternative would be to review the current scheme
and submit a patch that makes it improved.
-------------------------------------------------------

----------Original Message----------
From: Anthony Pankov <ant_mail@inbox.ru>
Sent: Wednesday 16 April 2014, 09:55:02
Subject: Re: [Roundup-devel] patch for more flexible web auth


> REMOTE_USER is not default standard of authentication in web
> applications.

I suspected this. So i suppose the way to control  it somehow.

> You have a very specific use case that is needed to less that 1%
> of Roundup installations, and I don't like the idea or using another
> global configuration option, because all other 99% will have to read
> through it and waste time on guessing what does this option mean.

There  is  issue  with  apache   that it  silently suppress REMOTE_USER
variable  which  come not from it auth modules.  I don't find any way
to  pervert  apache configuration to let roundup-tracker do the job in
it current state.



> I'd propose instead to add chapter named "Authentication"
> to admin guide, probably renaming this one:
> http://roundup.sourceforge.net/docs/admin_guide.html#users-and-security
> and document the current way of writing authentication extensions.

I   don't   see  something  like  authentication  driver  in  internal
roundup-tracker     code.     There    is    a    direct    call    to
determine_user() in client.py which is defined as:

        # first up, try http authorization if enabled
        if self.instance.config['WEB_HTTP_AUTH']:
            if 'REMOTE_USER' in self.env:
                # we have external auth (e.g. by Apache)
                user = self.env['REMOTE_USER']
            elif self.env.get('HTTP_AUTHORIZATION', ''):
                # try handling Basic Auth ourselves
                auth = self.env['HTTP_AUTHORIZATION']
                scheme, challenge = auth.split(' ', 1)
                if scheme.lower() == 'basic':

So,  any extension will go after this code has executed which mean low
effectiveness. May be i've missed something.