Modify

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1033 closed defect (invalid)

/login/xmlrpc requires xmlrpc permission

Reported by: ThurnerRupert Owned by: athomas
Priority: normal Component: XmlRpcPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10

Description

it would be good to have a defined url/procedure for logging in, which may also be separated out by HttpAuthPlugin. with AccountMgrPlugin and HttpAuthPlugin we get

  • /xmlrpc - basic auth window
  • /login/xmlrpc - 403 Forbidden (XML_RPC privileges are required to perform this operation)
  • /login - html based login form

Attachments (0)

Change History (7)

comment:1 Changed 8 years ago by athomas

  • Component changed from TracHacks to XmlRpcPlugin
  • Resolution set to invalid
  • Status changed from new to closed

I'm not sure what the problem is here?

The defined URL for authenticated XML-RPC requests is /login/xmlrpc, as described in the XmlRpcPlugin page: "The browsable XML-RPC URI suffix is /xmlrpc, however most XML-RPC clients should use the authenticated URL suffix /login/xmlrpc as this is correctly authenticated by Trac."

Feel free to reopen with clarification.

comment:2 Changed 8 years ago by coderanger

I should probably change the default path in HttpAuthPlugin from /xmlrpc to /login/xmlrpc. I would guess that is causing confusion.

comment:3 Changed 8 years ago by anonymous

is there a possibility to state more than one path, and if yes, how?

comment:4 Changed 8 years ago by ThurnerRupert

see #1021. i'm not sure which component is responsible for doing what here. usually /login/xmlrpc should pop up a basic auth window, isn't it?

comment:5 Changed 8 years ago by ThurnerRupert

  • Resolution invalid deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened

allow me to reopen. i still don't understand, but i think it might be possible that the problem lies in the IRequestFilter, IRequestHandler and which one comes first. if it is like in apache, then xmlrpc should have IRequestFilter somehow implemented, isn't it?

see #1021 for the code parts ...

comment:6 Changed 8 years ago by athomas

  • Resolution set to invalid
  • Status changed from reopened to closed

This is not a bug in XmlRpcPlugin, it is a configuration issue with HttpAuthPlugin. Configure it to require authentication when accessing the /login/xmlrpc URL:

[httpauth]
paths = /xmlrpc, /login/xmlrpc

Then access XMLRPC via /login/xmlrpc as instructed in the XmlRpcPlugin page. If this doesn't work it is likely to be a problem with HttpAuthPlugin.

As for your question, IRequestFilters are always executed before IRequestHandlers.

comment:7 Changed 8 years ago by ThurnerRupert

uh, mea culpa. i hardcoded it and forgot to remove the erreounous config file entry. put your httpauth setting also on the HttpAuthPlugin page to prevent people with similar stupidity doing the same :)

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from athomas. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.