Modify

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#1033 closed defect (invalid)

/login/xmlrpc requires xmlrpc permission

Reported by: rupert thurner Owned by: Alec Thomas
Priority: normal Component: XmlRpcPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10

Description

it would be good to have a defined url/procedure for logging in, which may also be separated out by HttpAuthPlugin. with AccountMgrPlugin and HttpAuthPlugin we get

  • /xmlrpc - basic auth window
  • /login/xmlrpc - 403 Forbidden (XML_RPC privileges are required to perform this operation)
  • /login - html based login form

Attachments (0)

Change History (7)

comment:1 Changed 11 years ago by Alec Thomas

Component: TracHacksXmlRpcPlugin
Resolution: invalid
Status: newclosed

I'm not sure what the problem is here?

The defined URL for authenticated XML-RPC requests is /login/xmlrpc, as described in the XmlRpcPlugin page: "The browsable XML-RPC URI suffix is /xmlrpc, however most XML-RPC clients should use the authenticated URL suffix /login/xmlrpc as this is correctly authenticated by Trac."

Feel free to reopen with clarification.

comment:2 Changed 11 years ago by Noah Kantrowitz

I should probably change the default path in HttpAuthPlugin from /xmlrpc to /login/xmlrpc. I would guess that is causing confusion.

comment:3 Changed 11 years ago by anonymous

is there a possibility to state more than one path, and if yes, how?

comment:4 Changed 11 years ago by rupert thurner

see #1021. i'm not sure which component is responsible for doing what here. usually /login/xmlrpc should pop up a basic auth window, isn't it?

comment:5 Changed 11 years ago by rupert thurner

Resolution: invalid
Severity: normalcritical
Status: closedreopened

allow me to reopen. i still don't understand, but i think it might be possible that the problem lies in the IRequestFilter, IRequestHandler and which one comes first. if it is like in apache, then xmlrpc should have IRequestFilter somehow implemented, isn't it?

see #1021 for the code parts ...

comment:6 Changed 11 years ago by Alec Thomas

Resolution: invalid
Status: reopenedclosed

This is not a bug in XmlRpcPlugin, it is a configuration issue with HttpAuthPlugin. Configure it to require authentication when accessing the /login/xmlrpc URL:

[httpauth]
paths = /xmlrpc, /login/xmlrpc

Then access XMLRPC via /login/xmlrpc as instructed in the XmlRpcPlugin page. If this doesn't work it is likely to be a problem with HttpAuthPlugin.

As for your question, IRequestFilters are always executed before IRequestHandlers.

comment:7 Changed 11 years ago by rupert thurner

uh, mea culpa. i hardcoded it and forgot to remove the erreounous config file entry. put your httpauth setting also on the HttpAuthPlugin page to prevent people with similar stupidity doing the same :)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.