Message5087
To unify the communication, here are two emails from roundup-devel:
----------Original Message----------
From: anatoly techtonik <techtonik@gmail.com>
Sent: Monday 14 April 2014, 17:02:08
To: Anthony Pankov <ant_mail@inbox.ru>
Subject: Re: [Roundup-devel] patch for more flexible web auth
Hi Anthony,
On Mon, Apr 14, 2014 at 10:37 AM, Anthony Pankov <ant_mail@inbox.ru>
wrote:
>
> Some days ago i created roundup-tracker issue (
> http://issues.roundup-tracker.org/issue2550837 ) but have no reply.
>
> Can somebody audit and apply the patch to
> roundup-tracker source tree?
REMOTE_USER is not default standard of authentication in web
applications. For example, Django doesn't use it by default and
in Django backend for it I don't see a way to customize the name
of variable used to fetch it:
https://docs.djangoproject.com/en/dev/howto/auth-remote-user/
You have a very specific use case that is needed to less that 1%
of Roundup installations, and I don't like the idea or using another
global configuration option, because all other 99% will have to read
through it and waste time on guessing what does this option mean.
I'd propose instead to add chapter named "Authentication"
to admin guide, probably renaming this one:
http://roundup.sourceforge.net/docs/admin_guide.html#users-and-security
and document the current way of writing authentication extensions.
Your scenario is a good candidate to be included as a basic
example. An alternative would be to review the current scheme
and submit a patch that makes it improved.
-------------------------------------------------------
----------Original Message----------
From: Anthony Pankov <ant_mail@inbox.ru>
Sent: Wednesday 16 April 2014, 09:55:02
Subject: Re: [Roundup-devel] patch for more flexible web auth
> REMOTE_USER is not default standard of authentication in web
> applications.
I suspected this. So i suppose the way to control it somehow.
> You have a very specific use case that is needed to less that 1%
> of Roundup installations, and I don't like the idea or using another
> global configuration option, because all other 99% will have to read
> through it and waste time on guessing what does this option mean.
There is issue with apache that it silently suppress REMOTE_USER
variable which come not from it auth modules. I don't find any way
to pervert apache configuration to let roundup-tracker do the job in
it current state.
> I'd propose instead to add chapter named "Authentication"
> to admin guide, probably renaming this one:
> http://roundup.sourceforge.net/docs/admin_guide.html#users-and-security
> and document the current way of writing authentication extensions.
I don't see something like authentication driver in internal
roundup-tracker code. There is a direct call to
determine_user() in client.py which is defined as:
# first up, try http authorization if enabled
if self.instance.config['WEB_HTTP_AUTH']:
if 'REMOTE_USER' in self.env:
# we have external auth (e.g. by Apache)
user = self.env['REMOTE_USER']
elif self.env.get('HTTP_AUTHORIZATION', ''):
# try handling Basic Auth ourselves
auth = self.env['HTTP_AUTHORIZATION']
scheme, challenge = auth.split(' ', 1)
if scheme.lower() == 'basic':
So, any extension will go after this code has executed which mean low
effectiveness. May be i've missed something. |
|
Date |
User |
Action |
Args |
2014-04-23 10:10:31 | ber | set | messageid: <1398247831.52.0.650477945428.issue2550837@psf.upfronthosting.co.za> |
2014-04-23 10:10:31 | ber | set | recipients:
+ ber, techtonik, jerrykan, antmail |
2014-04-23 10:10:31 | ber | link | issue2550837 messages |
2014-04-23 10:10:30 | ber | create | |
|