Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#1033 closed defect (invalid)

/login/xmlrpc requires xmlrpc permission

Reported by: ThurnerRupert Owned by: athomas
Priority: normal Component: XmlRpcPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10


it would be good to have a defined url/procedure for logging in, which may also be separated out by HttpAuthPlugin. with AccountMgrPlugin and HttpAuthPlugin we get

  • /xmlrpc - basic auth window
  • /login/xmlrpc - 403 Forbidden (XML_RPC privileges are required to perform this operation)
  • /login - html based login form

Attachments (0)

Change History (7)

comment:1 Changed 10 years ago by athomas

  • Component changed from TracHacks to XmlRpcPlugin
  • Resolution set to invalid
  • Status changed from new to closed

I'm not sure what the problem is here?

The defined URL for authenticated XML-RPC requests is /login/xmlrpc, as described in the XmlRpcPlugin page: "The browsable XML-RPC URI suffix is /xmlrpc, however most XML-RPC clients should use the authenticated URL suffix /login/xmlrpc as this is correctly authenticated by Trac."

Feel free to reopen with clarification.

comment:2 Changed 10 years ago by coderanger

I should probably change the default path in HttpAuthPlugin from /xmlrpc to /login/xmlrpc. I would guess that is causing confusion.

comment:3 Changed 10 years ago by anonymous

is there a possibility to state more than one path, and if yes, how?

comment:4 Changed 10 years ago by ThurnerRupert

see #1021. i'm not sure which component is responsible for doing what here. usually /login/xmlrpc should pop up a basic auth window, isn't it?

comment:5 Changed 10 years ago by ThurnerRupert

  • Resolution invalid deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened

allow me to reopen. i still don't understand, but i think it might be possible that the problem lies in the IRequestFilter, IRequestHandler and which one comes first. if it is like in apache, then xmlrpc should have IRequestFilter somehow implemented, isn't it?

see #1021 for the code parts ...

comment:6 Changed 10 years ago by athomas

  • Resolution set to invalid
  • Status changed from reopened to closed

This is not a bug in XmlRpcPlugin, it is a configuration issue with HttpAuthPlugin. Configure it to require authentication when accessing the /login/xmlrpc URL:

paths = /xmlrpc, /login/xmlrpc

Then access XMLRPC via /login/xmlrpc as instructed in the XmlRpcPlugin page. If this doesn't work it is likely to be a problem with HttpAuthPlugin.

As for your question, IRequestFilters are always executed before IRequestHandlers.

comment:7 Changed 10 years ago by ThurnerRupert

uh, mea culpa. i hardcoded it and forgot to remove the erreounous config file entry. put your httpauth setting also on the HttpAuthPlugin page to prevent people with similar stupidity doing the same :)

Add Comment

Modify Ticket

as closed The owner will remain athomas.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.