New config-option 'cookie_takes_precedence'

.. in the [web] section.  This allows sub-logins (e.g. without a
password given a specific role) even when a non-cookie login mechanism
(like Kerberos) is in use. With that mechanism e.g., a Kerberos ticket
will not take precedence over an existing cookie. This might become the
default in the future and the new option might go away.

Author: schlatterbeck

CHANGES.txt

@@ -57,6 +57,12 @@ Features:
   variable. (John Rouillard)
 - New roundup-admin command importtables allows importing just the
   database dump created by exporttables. (John Rouillard)
+- New config-option 'cookie_takes_precedence' in the [web] section. This
+  allows sub-logins (e.g. without a password given a specific role) even
+  when a non-cookie login mechanism (like Kerberos) is in use. With that
+  mechanism e.g., a Kerberos ticket will not take precedence over an
+  existing cookie. This might become the default in the future and the
+  new option might go away.
 
 2020-04-05 2.0.0 beta 0
 

roundup/cgi/client.py

@@ -997,7 +997,14 @@ def determine_user(self):
         user = None
         # first up, try http authorization if enabled
         cfg = self.instance.config
-        if cfg.WEB_HTTP_AUTH:
+        if cfg.WEB_COOKIE_TAKES_PRECEDENCE:
+            user = self.session_api.get('user')
+            if user:
+                # update session lifetime datestamp
+                self.session_api.update()
+                if 'REMOTE_USER' in self.env:
+                    del self.env['REMOTE_USER']
+        if not user and cfg.WEB_HTTP_AUTH:
             if 'REMOTE_USER' in self.env:
                 # we have external auth (e.g. by Apache)
                 user = self.env['REMOTE_USER']

roundup/configuration.py

@@ -731,11 +731,10 @@ def str2value(self, value):
             "admin role may see these history entries, you can make them\n"
             "visible to all users by adding, e.g., the 'User' role here."),
         (Option, "error_messages_to", "user",
-            # XXX This description needs better wording,
-            #   with explicit allowed values list.
-            "Send error message emails to the dispatcher, user, or both?\n"
-            "The dispatcher is configured using the DISPATCHER_EMAIL"
-            " setting."),
+            'Send error message emails to the "dispatcher", "user", '
+            'or "both" (these are the allowed values)?\n'
+            'The dispatcher is configured using the DISPATCHER_EMAIL'
+            ' setting.'),
         (Option, "html_version", "html4",
             "HTML version to generate. The templates are html4 by default.\n"
             "If you wish to make them xhtml, then you'll need to change this\n"
@@ -841,6 +840,16 @@ def str2value(self, value):
             "addition this is compatible with Active Directory which\n"
             "stores the username with realm as UserPrincipalName in\n"
             "lowercase."),
+        (BooleanOption, 'cookie_takes_precedence', "no",
+            "If the http_auth option is in effect (see above)\n"
+            "we're accepting a REMOTE_USER variable resulting from\n"
+            "an authentication mechanism implemented in the web-server,\n"
+            "e.g., Kerberos login or similar. To override the mechanism\n"
+            "provided by the web-server (e.g. for enabling sub-login as\n"
+            "another user) we tell roundup that the cookie takes\n"
+            "precedence over a REMOTE_USER or HTTP_AUTHORIZATION\n"
+            "variable. So if both, a cookie and a REMOTE_USER is\n"
+            "present, the cookie wins.\n"),
         (IntegerNumberGeqZeroOption, 'login_attempts_min', "3",
             "Limit login attempts per user per minute to this number.\n"
             "By default the 4th login attempt in a minute will notify\n"