Context Navigation

Modify ↓

#1033 closed defect (invalid)

/login/xmlrpc requires xmlrpc permission

Reported by:	rupert thurner	Owned by:	Alec Thomas
Priority:	normal	Component:	XmlRpcPlugin
Severity:	critical	Keywords:
Cc:		Trac Release:	0.10

Description

it would be good to have a defined url/procedure for logging in, which may also be separated out by HttpAuthPlugin. with AccountMgrPlugin and HttpAuthPlugin we get

/xmlrpc - basic auth window
/login/xmlrpc - 403 Forbidden (XML_RPC privileges are required to perform this operation)
/login - html based login form

Attachments (0)

Change History (7)

comment:1 Changed 18 years ago by Alec Thomas

Component:	TracHacks → XmlRpcPlugin
Resolution:	→ invalid
Status:	new → closed

I'm not sure what the problem is here?

The defined URL for authenticated XML-RPC requests is /login/xmlrpc, as described in the XmlRpcPlugin page: "The browsable XML-RPC URI suffix is /xmlrpc, however most XML-RPC clients should use the authenticated URL suffix /login/xmlrpc as this is correctly authenticated by Trac."

Feel free to reopen with clarification.

comment:2 Changed 18 years ago by Noah Kantrowitz

I should probably change the default path in HttpAuthPlugin from /xmlrpc to /login/xmlrpc. I would guess that is causing confusion.

comment:3 Changed 18 years ago by anonymous

is there a possibility to state more than one path, and if yes, how?

comment:4 Changed 18 years ago by rupert thurner

see #1021. i'm not sure which component is responsible for doing what here. usually /login/xmlrpc should pop up a basic auth window, isn't it?

comment:5 Changed 18 years ago by rupert thurner

Resolution:	invalid
Severity:	normal → critical
Status:	closed → reopened

allow me to reopen. i still don't understand, but i think it might be possible that the problem lies in the IRequestFilter, IRequestHandler and which one comes first. if it is like in apache, then xmlrpc should have IRequestFilter somehow implemented, isn't it?

see #1021 for the code parts ...

comment:6 Changed 18 years ago by Alec Thomas

Resolution:	→ invalid
Status:	reopened → closed

This is not a bug in XmlRpcPlugin, it is a configuration issue with HttpAuthPlugin. Configure it to require authentication when accessing the /login/xmlrpc URL:

[httpauth]
paths = /xmlrpc, /login/xmlrpc

Then access XMLRPC via /login/xmlrpc as instructed in the XmlRpcPlugin page. If this doesn't work it is likely to be a problem with HttpAuthPlugin.

As for your question, IRequestFilters are always executed before IRequestHandlers.

comment:7 Changed 18 years ago by rupert thurner

uh, mea culpa. i hardcoded it and forgot to remove the erreounous config file entry. put your httpauth setting also on the HttpAuthPlugin page to prevent people with similar stupidity doing the same :)

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Alec Thomas.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: