Project

General

Profile

Actions

Defect #2692

closed

The Apache Authentification handler Redmine.pm should honor login_required parameter

Added by Felix Schäfer about 15 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2009-02-07
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Redmine: r2363

The Redmine.pm authentification handler for Apache should check for the login_required parameter. I currently have a redmine install that requires login, where some projects are public, so that every logged in user can read it. I would expect the svn authentication to follow the same scheme, but repositories for public projects are also available to users who are not logged in.


Files

Redmine.pm (10.8 KB) Redmine.pm Derrick Rapp, 2009-03-17 02:53
Actions #1

Updated by Felix Schäfer about 15 years ago

I updated my Redmine.pm a little so that no unauthenticated user can access a repository in a "login_required" Redmine installation, here is the patch:

Index: Redmine.pm
===================================================================
--- Redmine.pm  (revision 2389)
+++ Redmine.pm  (working copy)
@@ -206,7 +206,7 @@
   my $project_id = get_project_identifier($r);

   $r->set_handlers(PerlAuthenHandler => [\&OK])
-      if is_public_project($project_id, $r);
+      if (is_public_project($project_id, $r) && !is_login_required($r));

   return OK
 }
@@ -225,6 +225,22 @@
   }
 }

+sub is_login_required {
+    my $r = shift;
+
+    my $dbh = connect_database($r);
+    my $sth = $dbh->prepare(
+        "SELECT value FROM settings WHERE settings.name='login_required';" 
+    );
+
+    $sth->execute();
+    my @ret = $sth->fetchrow_array();
+    $sth->finish();
+    $dbh->disconnect();
+
+    $ret[0];
+}
+
 sub is_public_project {
     my $project_id = shift;
     my $r = shift;

I'll have to work a little more to make it accessible for non-project members for a public project in a login_require redmine.

Actions #2

Updated by Derrick Rapp about 15 years ago

I was just working through the same issue and came up with a complete solution. My perl experience is slim to nil so I tried to change as little as possible. In addition to the change above, I changed the SQL in the main {RedmineQuery} property to include public projects and flipped around some of the code in the is_member function. The existing code was unsecure with LDAP authentication and I addressed that as well. I have attached my version of Redmine.pm. Can someone please review my changes and commit it into the tree? Thanks.

Actions #3

Updated by Felix Schäfer over 13 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

As far as I can see this is fixed in r3831.

Actions

Also available in: Atom PDF