[kforge-dev] Ticket #38 (defect) created by I love you

John Bywater john.bywater at appropriatesoftwarefoundation.org
Fri Jan 12 21:46:00 UTC 2007


[written before I read your last email]

John Bywater wrote:

> 1. Non-cookie browser clients
> 2. A POST request
> 3. No access granted (allegedly)


Sorry, on second reading, it's obvious you're talking about normal 
cookie-supporting browsers.

[but it turns out you're talking about all browsers :-)]


I reckon there are two things we should do:


1. Firstly, change the redirect return code to something other than OK.

I remembered the reason it is OK is to prevent further handlers firing 
(to satisfay Apache's 'Satisfy any' directive), and thereby avoiding the 
basic auth diaglog showing just before a redirect.

But I think we should immediately exchange having Trac spammed for the 
lesser problem of an inappropriate and confusing dialog.

I think (repository will know which) the value we were using was one of:
HTTP_MOVED_TEMPORARILY
HTTP_MOVED_PERMANENTLY
HTTP_TEMPORARY_REDIRECT


2. Secondly, we need to work out how to avoid Trac acting on a 
redirected browser request, whilst still avoiding the basic auth dialog 
showing.

I thought up two options for investigation so far:

(a) Attempt to terminate the handler chain before the basic auth dialog 
shows. Perhaps the handler returning HTTP_FORBIDDEN will terminate the 
chain, rather than HTTP_UNAUTHORIZED, which doesn't satisfy the Apache 
directive "Satisfy Any". NB I think I have assumed that only OK 
satisfies the 'Satisfy any' directive, but I seem to remember that 
HTTP_FORBIDDEN also does. If it doesn't I think we should look for 
another return code that does satisfy Apache. Perhaps we could try to 
find the whole set of satisfying codes?

(b) Effectively trash the request object so that Trac can't possibly 
work. My guess is that this wouldn't give us satisfaction, but we might 
be lucky. Setting things like path might have some effect.

I'm sure there would other options too. But I can't think of any (except 
write our own apache module, which would be terrible). What does the 
Authenz handler do? Can we make use of any special effects it has? Etc.


Best regards,

John.







More information about the kforge-dev mailing list