Description
Background: When upgrading from 1.8.5 to 1.8.7 our XMLRPC stuff broke due to pretty silent change http://hg.moinmo.in/moin/1.8/rev/28d3928f6e6e which changed XMLRPC getAuthToken/applyAuthToken to be the only way to auth XMLRPC. Well, such is life and we scrambled to check our stuff, however there was a twist into it.
Bug: XMLRPC getAuthToken return empty token if auth backend is HTTPAuth. This is due to getAuthToken code trying to call login in chosen auth handler and HTTPAuth implementing only request auth handling, not login (or logout) handling. Thus getAuthToken always gets None as return value from auth handler for login event. Should either getAuthToken call auth for request mode or HTTPAuth implement login method?
Steps to reproduce
Install MoinMoin 1.8.7
- Configure Wiki Instance
... from MoinMoin.auth.http import HTTPAuth auth = [HTTPAuth(autocreate=True)] actions_excluded = [] ... - Configure HTTP Basic Auth e.g. on apache in the front of the Wiki
Run (or similar to test getAuthToken)
import xmlrpclib wiki = xmlrpclib.ServerProxy("https://%s:%s@wikihost/?action=xmlrpc2" % (username, password)) auth_token = wiki.getAuthToken(username, password) mc = xmlrpclib.MultiCall(wiki) mc.applyAuthToken(auth_token) mc.getPage("FrontPage") result = mc()Observe auth_token to be empty (empty on 1.8.5 and 1.8.7, and on 1.8.7 subsequent calls to fail)
Example
Component selection
- XMLRPC
Details
MoinMoin Version |
Tested on 1.8.5 and 1.8.7 |
OS and Version |
|
Python Version |
|
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Patch for xmlrpc/__init__.py for MoinMoin 1.8.7 to change auth handler to be called in request mode instead of login mode which has not been implemented for the HTTPAuth backend.
--- __init__.py.orig 2010-02-23 13:01:54.000000000 +0200
+++ __init__.py 2010-02-23 15:20:16.000000000 +0200
@@ -692,7 +692,7 @@
u = self.request.cfg.session_handler.start(self.request, id_handler)
u = self.request.handle_auth(u, username=username,
- password=password, login=True)
+ password=password)
self.request.cfg.session_handler.after_auth(self.request, id_handler, u)
Discussion
- Sorry about the breakage, it was for fixing a security issue. I'll review your patch later.
A: No prob and thanks for great software. My patch in the workaround might not be the way (or even secure) to go for everyone, just happened to work for us as a workaround with the HTTPAuth backend. Auth backends had some abstraction layers in front of them so weren't sure what is the "proper" fix and did't quite follow login and request logic. Furthermore the session stuff has changed quite a bit in 1.9. However it would be nice that getAuthToken would somehow still work with 1.8.x and HTTPAuth backend (with this workaround if it is safe in these conditions or with a better fix) since the XMLRPC support has been very useful at least for us.
Plan
- Priority:
- Assigned to:
- Status: