Issue #364: No authentication if "anonymous is allowed"
|Reported by:||André Klitzing|
|Created on:||2020-03-06 12:45|
|Updated on:||2020-05-09 00:19|
If we allow WRITE permissions to the “default user” in a repository and enable “Allow anonymous access” we don’t get any user information in KALLITHEA_EXTRAS for our hook. We get “default” as user.
If we disable “Allow anonymous access” Kallithea provides the information to KALLITHEA_EXTRAS.
We use LDAP auth and disabled internal plugin.
We need the current user in our hook. Is it fixable?
Comment by Mads Kiilerich, on 2020-03-06 14:53
What version are you using?
It seems dangerous to disable internal auth. That will make it difficult if you should have to change the LDAP settings and can’t log in at all. It can be done, but it is not a standard setup you have. But what is the reason for disabling internal auth? Does that somehow disable anonymous access even if it is disabled?
So you would like to have the user info if the user is authenticated. But what info should it provide if the user isn’t authenticated?
Comment by André Klitzing, on 2020-03-06 15:07
We are using 0.5.2
Oh, it was just a test with internal auth disabled because the log looks like the problem is internal auth. We will enable internal auth again.
Well, I want authenticated WRITE access. Anonymous read-only is ok. But it seems we cannot allow anonymous read-only and enable “all authenticated can write”.
Comment by Mads Kiilerich, on 2020-03-06 15:32
Is it a Mercurial repo with a standard Mercurial hook, or are you using Git?
Comment by André Klitzing, on 2020-03-06 15:36
Comment by Mads Kiilerich, on 2020-03-06 15:54
I can’t reproduce anything that looks wrong. But the core of the problem seems to be:
I want authenticated WRITE access
we allow WRITE permissions to the “default user” in a repository
If you want authenticated write access, don’t allow unauthenticated (“Default”) write access. Just allow unauthenticated read access.
Comment by André Klitzing, on 2020-03-06 20:14
Yes, I don’t want to allow unauthenticated write access. But I want to allow write access to all authenticated users. I don’t want a group that needs to be filled and I don' want to set individual users to that repository.
How to give “all authenticated users” write access?
I’m using Admin → Default permissions → Repository → Write
But if I enable “Allow anonymous access” the KALLITHEA_EXTRAS is ‘default’.
The combination of both settings disabled the authentication. But I don’t want to disable it. I want to allow write to ALL authenticated users. And all anonymous users can READ ONLY.
Comment by Mads Kiilerich, on 2020-03-08 13:47
The Kallithea default user / anonymous access functionality is quite overloaded. I don’t think it in a simple and predictable way can be extended to support all usecases, including this one.
It seems like the best solution would be in the direction of maintaining an explicit user group with all users and default to add that to all new repos. That could be done with direct database manipulation, initiated externally or through some hook. It could make sense to include better support for that in Kallithea, but that will not be for the upcoming py3 release.
@Thomas De Schampheleire what’s your thoughts?