Auth/privileges problems with XML-RPC

Are you using Basic Authentication as provided by Apache (or other web server) or some plugin hack to simulate Basic auth? When using a regular browser in a new session (with no auto-user-password entry) are you challenged for authentication at /login/rpc url? By the browser or by pretty HTML form on the page?

The server needs to challenge for the authentication, otherwise the client won't provide the credentials.

You can likely test this quite easily by adding XML-RPC permission to anonymous and making request to /rpc (and possibly even /login/rpc). If RPC requests then works, the server is not making required challenges to work with your client library.

If you still think all is as it should be at your end, it is time to start pasting some information:

• System Information overview of versions and plugins from "About Trac" (as admin)
• Trac debug log from a single request via RPC just to see what happens

Well, all four URLs provided (/rpc and /jsonrpc, and /login/rpc /login/jsonrpc) take me to the same examples page, explaining what to do with that plugin, and a list of methods, wiki-style.

I'm starting to think that something is really wrong =( haha Is this a misconfiguration? How can I fix that?

Replying to anonymous:

Well, all four URLs provided (/rpc and /jsonrpc, and /login/rpc /login/jsonrpc) take me to the same examples page, explaining what to do with that plugin, and a list of methods, wiki-style. I'm starting to think that something is really wrong =( haha Is this a misconfiguration? How can I fix that?

There's nothing wrong, that's expected behavior, if request content-type header is not set to e.g. application/json for JSON-RPC and accept header contains text/html (AFAICR) , which is standard browser behavior.

Please read the documentation, and please provide system information including version of the plugin in use ... ;)

Well, sorry for being that dumb. haha
Links with the requests I made (I think they are correct now) and the Trac Information: http://www.pastie.org/1741056

My boss is away today, but if needed i'll attach the log by tomorrow or monday.

Ty in advance (:

http://www.pastie.org/1783327 Trac debug log
http://www.pastie.org/1783333 Python script used, as seen in one of the tutorials I read

Any ideas?

AFAICS it's failing @ this line req.perm.require('XML_RPC') but you specify correct user & password (unless my.user be an invalid user name ?) . The fact is that Trac seems not to identify user credentials , so it's executed like if it was an anonymous call .

This means there's an issue with authentication handling. Nonetheless the fact is that the plugin doesn't care about that and plays a passive role in this matter by delegating these details to other authentication-specific components.

As a workaround (at least to debug a little ...) I suggest you to :

• Grant XML-RPC permission to anonymnous user and see if it works (the problem is still there but at least you'll be able to confirm aforementioned hypothesis)
• Forward this request to trac-users mailing list together with information about plugins installed and server configuration in order to isolate and debug your particular authentication issues .

@osimons : IMO this should a happily closed & invalid ticket. Feel free to pull the trigger ... ;o)

Replying to olemis:

- Grant XML-RPC permission to anonymnous user and see if it works (the problem is still there but at least you'll be able to confirm aforementioned hypothesis)

Typo by the way, make sure you grant the permission to user anonymous. Anyway, could you please confirm if that makes it work or not? I suspect it does.

Looking at your list of plugins, it seems you are using AccountManagerPlugin for authentication (ie. html forms login). You need to read and understand the documentation at wiki:XmlRpcPlugin#Troubleshooting where it says that you then also need HttpAuthPlugin installed and enabled. This plugin hacks a basic authentication format for certain URLs, and you want to make sure you add /login/rpc to the paths configuration for this plugin.

Ok, we have enabled HttpAuthPlugin and configured it as follows:

[httpauth]  
paths = /xmlrpc, /login/xmlrpc, /rpc, /login/rpc, /jsonrpc, /login/jsonrpc

And it still gives us the same error, saying that the user anonymous doesn't have permissions.
Finally, we can't create an anonymous user, the user page says simply that we can't create it.

Replying to anonymous:

Finally, we can't create an anonymous user, the user page says simply that we can't create it.

Don't create user anonymous - 'anonymous' is the name assigned to any user that isn't logged in. All you need to do in Permissions admin page is assign XML_RPC permission to user anonymous.

You can't create anonymous user. It's always there OOTB so there's no need to create it . It's a reserved user name . Just add permissions using trac-admin or admin web interface.

If it works using anonymous RPC requests then this will become a support request (not an issue ;o) so please forward your request to trac-users mailing list.

Ok, permissions granted to anonymous user. The script worked, but it keep working as I am the anonymous, not the user I said.

The HttpAuthPlugin is enabled and configured as said, but it keeps like is said in wiki:XmlRpcPlugin#Troubleshooting: "Every access will look like anonymous access."

Anyway, I have already sent a message to the mailing list.

I guess I am facing a similar problem:

When connecting trac by eclipse-mylyn and only an autenticated user has XML_RPC rights, eclipse plugins always says: Insufficient permissions for selected access type. The error won't occur if anonymous has XML_RPC rights.

I guess it might be a server-side configuration problem, but don't know enough where and what to config. I am using apache httpd without basic-auth, because I am using AccountManagerPlugin.

Thanks in advance for any hint.

I'm having the same problem and don't know how to solve.
After installed HttpAuthPlugin, I received a new exception:
HTTP server returned unexpected status: Unauthorized
Someone helps me, please!

I am getting the following error with Trac 0.13dev-r10991 running on apache httpd (2.8 (WSGIProcessGroup /trac/trac1 WSGIApplicationGroup %{GLOBAL})) and newest XmlRpcPlugin (r11306):

2012-03-22 15:02:09,533 Trac[web_ui] ERROR: RPC(XML-RPC) Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/web_ui.py", line 158, in _rpc_process
    result = (XMLRPCSystem(self.env).get_method(method_name)(req, args))[0]
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/api.py", line 197, in __call__
    result = self.callable(req, *args)
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/ticket.py", line 241, in update
    " ".join([warning for warning in req.chrome['warnings']]))
ServiceException: No permission to edit the ticket description. No permission to change ticket fields. No permissions to add a comment. Sorry, can not save your changes. This ticket has been modified by someone else since you started field gefasoft_section must be set field gefasoft_phase must be set field gefasoft_trigger must be set field gefasoft_impact must be set field gefasoft_target must be set field gefasoft_defecttype must be set field gefasoft_qualifier must be set field gefasoft_source must be set field gefasoft_age must be set
2012-03-22 15:02:09,533 Trac[xml_rpc] ERROR: No permission to edit the ticket description. No permission to change ticket fields. No permissions to add a comment. Sorry, can not save your changes. This ticket has been modified by someone else since you started field gefasoft_section must be set field gefasoft_phase must be set field gefasoft_trigger must be set field gefasoft_impact must be set field gefasoft_target must be set field gefasoft_defecttype must be set field gefasoft_qualifier must be set field gefasoft_source must be set field gefasoft_age must be set
2012-03-22 15:02:09,534 Trac[xml_rpc] ERROR: Traceback (most recent call last):
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/web_ui.py", line 158, in _rpc_process
    result = (XMLRPCSystem(self.env).get_method(method_name)(req, args))[0]
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/api.py", line 197, in __call__
    result = self.callable(req, *args)
  File "/usr/local/lib/python2.6/dist-packages/TracXMLRPC-1.1.2_r11306-py2.6.egg/tracrpc/ticket.py", line 241, in update
    " ".join([warning for warning in req.chrome['warnings']]))
ServiceException: No permission to edit the ticket description. No permission to change ticket fields. No permissions to add a comment. Sorry, can not save your changes. This ticket has been modified by someone else since you started field gefasoft_section must be set field gefasoft_phase must be set field gefasoft_trigger must be set field gefasoft_impact must be set field gefasoft_target must be set field gefasoft_defecttype must be set field gefasoft_qualifier must be set field gefasoft_source must be set field gefasoft_age must be set

I tried connecting with eclipse mylyn (newest update). User anonymous has permission XML_RPC. eclipse mylyn shows error: "Submit failed: Mid-air collision occurred. Synchronize task and re-submit changes." But synchronizing tasks or query does not help anything.

Might any custom fields cause problems? Did I miss anything to configure (maybe in httpd)?

Replying to framay:

I tried connecting with eclipse mylyn (newest update). User anonymous has permission XML_RPC. eclipse mylyn shows error: "Submit failed: Mid-air collision occurred. Synchronize task and re-submit changes." But synchronizing tasks or query does not help anything. Might any custom fields cause problems? Did I miss anything to configure (maybe in httpd)?

Does this really look like the same problem? Your error says (broken for clarity):

ServiceException:
No permission to edit the ticket description.
No permission to change ticket fields.
No permissions to add a comment.
Sorry, can not save your changes.
This ticket has been modified by someone else since you started
field gefasoft_section must be set
field gefasoft_phase must be set
field gefasoft_trigger must be set
field gefasoft_impact must be set
field gefasoft_target must be set
field gefasoft_defecttype must be set
field gefasoft_qualifier must be set
field gefasoft_source must be set
field gefasoft_age must be set

• If posting as anonymous, does anonymous also have the necessary privileges to actually update the ticket?
• You seem to have other plugins installed, some which seem to enforce required field?

Perhaps debug logging provides more information.

That said, the plugin fails various tests with Trac 0.13dev - including ticket update tests. 49 tests gives 2 failures and 3 errors when running the tests suite just now with latest Trac tunk. Generally I don't spend much time trying to keep all intermediate Trac trunk changesets working, and you should not run development releases of Trac unless you are prepared to handle and research problems yourself.

log file of test trac system

Replying to osimons:

* If posting as anonymous, does anonymous also have the necessary privileges to actually update the ticket?

I tried it again on another test instance, where less plugins are set active. I double checked that user anonymous has enough permissions (TRAC_ADMIN, XML_RPC).

* You seem to have other plugins installed, some which seem to enforce required field?

I disabled all our self-made plugins, so only 2 plugins are left: TracXMLRPC 1.1.2-r11306 of course and TracAccountManager 0.3dev-r9929. But still the following error occurs (nobody changed anything on that system in the meantime):

ServiceException: Sorry, can not save your changes. This ticket has been modified by someone else since you started

Perhaps debug logging provides more information.

Attached log-file has debug logging (note: all plugins are set active at this point).

That said, the plugin fails various tests with Trac 0.13dev - including ticket update tests. 49 tests gives 2 failures and 3 errors when running the tests suite just now with latest Trac tunk. Generally I don't spend much time trying to keep all intermediate Trac trunk changesets working, and you should not run development releases of Trac unless you are prepared to handle and research problems yourself.

Well, I know that it is not the official Trac release, but as discussed in trac-dev current trunk provides features, which serveral collegues has already requested. So that's why we do not use a 2 year-old version 0.12.

Replying to osimons:

Does this really look like the same problem?

Your problem is very different from the issue originally raised by this ticket, so let's stop mixing them. I've created #9921 for your issue. Please follow up there.

Replying to framay:

We started to have the "Unauthorised" error as well here after switching from tracd to apache as web front end. Our conf is using the HttpAuthPlugin and a specific user was used to change tickets until now.

My apache logs are saying "Digest: client used wrong authentication scheme `Basic': /login/xmlrpc" so I guess something has to be done at the apache configuration

If this can't be done I'm resigned to give XMLRPC rights to anonymous but would like to avoid this...