Revision 732:897bc2b63bfe
| extra/soundsoftware/SoundSoftware.pm | ||
|---|---|---|
| 110 | 110 |
req_override => OR_AUTHCFG, |
| 111 | 111 |
args_how => TAKE1, |
| 112 | 112 |
}, |
| 113 |
{
|
|
| 114 |
name => 'SoundSoftwareSslRequired', |
|
| 115 |
req_override => OR_AUTHCFG, |
|
| 116 |
args_how => TAKE1, |
|
| 117 |
}, |
|
| 113 | 118 |
); |
| 114 | 119 |
|
| 115 | 120 |
sub SoundSoftwareDSN {
|
| ... | ... | |
| 143 | 148 |
} |
| 144 | 149 |
} |
| 145 | 150 |
|
| 151 |
sub SoundSoftwareSslRequired { set_val('SoundSoftwareSslRequired', @_); }
|
|
| 152 |
|
|
| 146 | 153 |
sub trim {
|
| 147 | 154 |
my $string = shift; |
| 148 | 155 |
$string =~ s/\s{2,}/ /g;
|
| ... | ... | |
| 184 | 191 |
|
| 185 | 192 |
my $project_id = get_project_identifier($dbh, $r); |
| 186 | 193 |
|
| 187 |
if (!defined $read_only_methods{$method}) {
|
|
| 188 |
print STDERR "SoundSoftware.pm:$$: Method is not read-only\n"; |
|
| 189 |
if (project_repo_is_readonly($dbh, $project_id, $r)) {
|
|
| 190 |
print STDERR "SoundSoftware.pm:$$: Project repo is read-only, refusing access\n"; |
|
| 191 |
return FORBIDDEN; |
|
| 192 |
} else {
|
|
| 193 |
print STDERR "SoundSoftware.pm:$$: Project repo is read-write, authentication handler required\n"; |
|
| 194 |
return OK; |
|
| 195 |
} |
|
| 196 |
} |
|
| 194 |
# We want to delegate most of the work to the authentication |
|
| 195 |
# handler (to ensure that user is asked to login even for |
|
| 196 |
# nonexistent projects -- so they can't tell whether a private |
|
| 197 |
# project exists or not without authenticating). So |
|
| 198 |
# |
|
| 199 |
# * if the project is public |
|
| 200 |
# - if the method is read-only |
|
| 201 |
# + set handler to OK, no auth needed |
|
| 202 |
# - if the method is not read-only |
|
| 203 |
# + if the repo is read-only, return forbidden |
|
| 204 |
# + else require auth |
|
| 205 |
# * if the project is not public or does not exist |
|
| 206 |
# + require auth |
|
| 207 |
# |
|
| 208 |
# If we are requiring auth and are not currently https, and |
|
| 209 |
# https is required, then we must return a redirect to https |
|
| 210 |
# instead of an OK. |
|
| 197 | 211 |
|
| 198 | 212 |
my $status = get_project_status($dbh, $project_id, $r); |
| 213 |
my $readonly = project_repo_is_readonly($dbh, $project_id, $r); |
|
| 199 | 214 |
|
| 200 | 215 |
$dbh->disconnect(); |
| 201 | 216 |
undef $dbh; |
| 202 | 217 |
|
| 203 |
if ($status == 0) { # nonexistent
|
|
| 204 |
print STDERR "SoundSoftware.pm:$$: Project does not exist, refusing access\n"; |
|
| 205 |
return FORBIDDEN; |
|
| 206 |
} elsif ($status == 1) { # public
|
|
| 207 |
print STDERR "SoundSoftware.pm:$$: Project is public, no restriction here\n"; |
|
| 208 |
$r->set_handlers(PerlAuthenHandler => [\&OK]) |
|
| 209 |
} else { # private
|
|
| 210 |
print STDERR "SoundSoftware.pm:$$: Project is private, authentication handler required\n"; |
|
| 218 |
if ($status == 1) { # public
|
|
| 219 |
|
|
| 220 |
print STDERR "SoundSoftware.pm:$$: Project is public\n"; |
|
| 221 |
|
|
| 222 |
if (!defined $read_only_methods{$method}) {
|
|
| 223 |
|
|
| 224 |
print STDERR "SoundSoftware.pm:$$: Method is not read-only\n"; |
|
| 225 |
|
|
| 226 |
if ($readonly) {
|
|
| 227 |
print STDERR "SoundSoftware.pm:$$: Project repo is read-only, refusing access\n"; |
|
| 228 |
return FORBIDDEN; |
|
| 229 |
} else {
|
|
| 230 |
print STDERR "SoundSoftware.pm:$$: Project repo is read-write, auth required\n"; |
|
| 231 |
# fall through, this is the normal case |
|
| 232 |
} |
|
| 233 |
|
|
| 234 |
} else {
|
|
| 235 |
# Public project, read-only method -- this is the only |
|
| 236 |
# case we can decide for certain to accept in this function |
|
| 237 |
print STDERR "SoundSoftware.pm:$$: Method is read-only, no restriction here\n"; |
|
| 238 |
$r->set_handlers(PerlAuthenHandler => [\&OK]); |
|
| 239 |
return OK; |
|
| 240 |
} |
|
| 241 |
|
|
| 242 |
} else { # status != 1, i.e. nonexistent or private -- equivalent here
|
|
| 243 |
|
|
| 244 |
print STDERR "SoundSoftware.pm:$$: Project is private or nonexistent, auth required\n"; |
|
| 245 |
# fall through |
|
| 211 | 246 |
} |
| 212 | 247 |
|
| 213 |
return OK |
|
| 248 |
if ($cfg->{SoundSoftwareSslRequired} eq "on") {
|
|
| 249 |
if ($r->dir_config('HTTPS') eq "on") {
|
|
| 250 |
return OK; |
|
| 251 |
} else {
|
|
| 252 |
my $redir_to = "https://" . $r->hostname() . $r->unparsed_uri(); |
|
| 253 |
print STDERR "SoundSoftware.pm:$$: Need to switch to HTTPS, redirecting to $redir_to\n"; |
|
| 254 |
$r->header_out(Location => $redir_to); |
|
| 255 |
return REDIRECT; |
|
| 256 |
} |
|
| 257 |
} else if ($cfg->{SoundSoftwareSslRequired} eq "off") {
|
|
| 258 |
return OK; |
|
| 259 |
} else {
|
|
| 260 |
print STDERR "WARNING: SoundSoftware.pm:$$: SoundSoftwareSslRequired should be either 'on' or 'off'\n"; |
|
| 261 |
return OK; |
|
| 262 |
} |
|
| 214 | 263 |
} |
| 215 | 264 |
|
| 216 | 265 |
sub authen_handler {
|
| ... | ... | |
| 237 | 286 |
|
| 238 | 287 |
print STDERR "SoundSoftware.pm:$$: User is " . $r->user . ", got password\n"; |
| 239 | 288 |
|
| 289 |
my $status = get_project_status($dbh, $project_id, $r); |
|
| 290 |
if ($status == 0) {
|
|
| 291 |
# nonexistent, behave like private project you aren't a member of |
|
| 292 |
print STDERR "SoundSoftware.pm:$$: Project doesn't exist, not permitted\n"; |
|
| 293 |
$dbh->disconnect(); |
|
| 294 |
undef $dbh; |
|
| 295 |
$r->note_auth_failure(); |
|
| 296 |
return AUTH_REQUIRED; |
|
| 297 |
} |
|
| 298 |
|
|
| 240 | 299 |
my $permitted = is_permitted($dbh, $project_id, $r->user, $redmine_pass, $r); |
| 241 | 300 |
|
| 242 | 301 |
$dbh->disconnect(); |
Also available in: Unified diff