[kforge-dev] Ticket #38 (defect) created by I love you
John Bywater
john.bywater at appropriatesoftwarefoundation.org
Fri Jan 12 21:46:00 UTC 2007
[written before I read your last email]
John Bywater wrote:
> 1. Non-cookie browser clients
> 2. A POST request
> 3. No access granted (allegedly)
Sorry, on second reading, it's obvious you're talking about normal
cookie-supporting browsers.
[but it turns out you're talking about all browsers :-)]
I reckon there are two things we should do:
1. Firstly, change the redirect return code to something other than OK.
I remembered the reason it is OK is to prevent further handlers firing
(to satisfay Apache's 'Satisfy any' directive), and thereby avoiding the
basic auth diaglog showing just before a redirect.
But I think we should immediately exchange having Trac spammed for the
lesser problem of an inappropriate and confusing dialog.
I think (repository will know which) the value we were using was one of:
HTTP_MOVED_TEMPORARILY
HTTP_MOVED_PERMANENTLY
HTTP_TEMPORARY_REDIRECT
2. Secondly, we need to work out how to avoid Trac acting on a
redirected browser request, whilst still avoiding the basic auth dialog
showing.
I thought up two options for investigation so far:
(a) Attempt to terminate the handler chain before the basic auth dialog
shows. Perhaps the handler returning HTTP_FORBIDDEN will terminate the
chain, rather than HTTP_UNAUTHORIZED, which doesn't satisfy the Apache
directive "Satisfy Any". NB I think I have assumed that only OK
satisfies the 'Satisfy any' directive, but I seem to remember that
HTTP_FORBIDDEN also does. If it doesn't I think we should look for
another return code that does satisfy Apache. Perhaps we could try to
find the whole set of satisfying codes?
(b) Effectively trash the request object so that Trac can't possibly
work. My guess is that this wouldn't give us satisfaction, but we might
be lucky. Setting things like path might have some effect.
I'm sure there would other options too. But I can't think of any (except
write our own apache module, which would be terrible). What does the
Authenz handler do? Can we make use of any special effects it has? Etc.
Best regards,
John.
More information about the kforge-dev
mailing list