Summary

Improvement to post-review when using webauth

Review Request #415 — Created June 13, 2008 and discarded

Information

Owner

xaviour

Repository

Review Board SVN (deprecated)

Branch

Bugs

513

Depends On

Reviewers

Groups

reviewboard

People

chipx86

Description

Ensure that "post-review" does not try to access the login page before checking whether webauth is enabled. There is a ugly hack in the patch. Instead to trying to access a review, "post-review" should access a specific page. I still have to figure out how to create a new webapi page on the server.

Testing Done

This was tested on the company server that is webauth enabled.

Yeah, this is too ugly.  Creating a little "ping" API node sounds appropriate.

XA

xaviour Aug. 2, 2008, 9:40 p.m.
```
What about the new patch.
```

So, I'm not sold on this just yet. I'm not sure why post-review needs something special or why urllib should be asking for the username/password when we already do. I'd much rather we integrate things on the server-side such that the existing login URL works with the webauth code.

If done right, post-review won't need any special changes, the settings.WEBAUTH key won't need to exist, and the settings webapi path won't need to exist. I'm actually very reluctant to expose authentication method info in a public API call.

xaviour Aug. 14, 2008, 9:39 p.m.

So what about using a HTTPPasswordMgr object when calling the login page. The "account_login" function on the server would ignore username and password if webauth is activated. This scheme however still require the user to type in its username and password which goes against deployment of single sign on with kerberos / ActiveDirectory.

As far as settings.WEBAUTH is concerned, its original purpose was to provide a variable for which to test in the templates (see bug #513). The login and logout links should be displayed or not based on its value. This was added because it turned out that actual end users were confused by the non functional login and logout links. When working using webauth, the webserver always asks for a password to access the page and the browser is happy to provide it. So unless there is a way to request the browser to forget about the password once the logout link has been clicked, it might be difficult to get rid of settings.WEBAUTH.