merge from HEAD

Richard Jones · Richard Jones · commit b62aaa488266 · 2005-06-24T05:28:24.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -9,6 +9,9 @@ Fixed:
 - fix handling of invalid interval input
 - search locale files relative ro roundup installation path (sf bug 1219689)
 - use translation for boolean property rendering (sf bug 1225152)
+- enabled disabling of REMOTE_USER for when it's not a valid username (sf
+  bug 1190187)
+- fix invocation of hasPermission from templating code (sf bug 1224172)
 
 
 2005-05-02 0.8.3
diff --git a/doc/index.txt b/doc/index.txt
@@ -135,6 +135,7 @@ Dougal Scott,
 Stefan Seefeld,
 Jouni K Seppanen,
 Jeffrey P Shell,
+Dan Shidlovsky,
 Joel Shprentz,
 Terrel Shumway,
 Emil Sit,
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.211.2.1 2005-01-05 22:02:05 richard Exp $
+# $Id: client.py,v 1.211.2.2 2005-06-24 05:28:24 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -396,32 +396,33 @@ def determine_user(self):
 
         # first up, try the REMOTE_USER var (from HTTP Basic Auth handled
         # by a front-end HTTP server)
-        if self.env.has_key('REMOTE_USER'):
-            user = self.env['REMOTE_USER']
-        else:
-            user = 'anonymous'
+        use_http_auth = self.instance.config['WEB_HTTP_AUTH'] == 'yes'
+        user = 'anonymous'
+        if use_http_auth:
+            if self.env.has_key('REMOTE_USER'):
+                user = self.env['REMOTE_USER']
+            # try handling Basic Auth ourselves
+            elif self.env.get('HTTP_AUTHORIZATION', ''):
+                auth = self.env['HTTP_AUTHORIZATION']
+                scheme, challenge = auth.split(' ', 1)
+                if scheme.lower() == 'basic':
+                    try:
+                        decoded = base64.decodestring(challenge)
+                    except TypeError:
+                        # invalid challenge
+                        pass
+                    username, password = decoded.split(':')
+                    try:
+                        login = self.get_action_class('login')(self)
+                        login.verifyLogin(username, password)
+                    except LoginError, err:
+                        self.make_user_anonymous()
+                        self.response_code = 403
+                        raise Unauthorised, err
+
+                    user = username
 
-        # try handling Basic Auth ourselves
-        if (user == 'anonymous') and self.env.get('HTTP_AUTHORIZATION', ''):
-            scheme, challenge = self.env['HTTP_AUTHORIZATION'].split(' ', 1)
-            if scheme.lower() == 'basic':
-                try:
-                    decoded = base64.decodestring(challenge)
-                except TypeError:
-                    # invalid challenge
-                    pass
-                username, password = decoded.split(':')
-                try:
-                    self.get_action_class('login')(self).verifyLogin(
-                        username, password)
-                except LoginError, err:
-                    self.make_user_anonymous()
-                    self.response_code = 403
-                    raise Unauthorised, err
-
-                user = username
-
-        # look up the user session cookie (may override the REMOTE_USER)
+        # look up the user session cookie (may override the HTTP Basic Auth)
         cookie = self.cookie
         if (cookie.has_key(self.cookie_name) and
                 cookie[self.cookie_name].value != 'deleted'):
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -1055,7 +1055,7 @@ def hasPermission(self, permission, classname=_marker,
         if classname is self._marker:
             classname = self._client.classname
         return self._client.db.security.hasPermission(permission,
-            self._nodeid, classname)
+            self._nodeid, classname, property, itemid)
 
 def HTMLItem(client, classname, nodeid, anonymous=0):
     if classname == 'user':
diff --git a/roundup/configuration.py b/roundup/configuration.py
@@ -1,6 +1,6 @@
 # Roundup Issue Tracker configuration support
 #
-# $Id: configuration.py,v 1.23.2.2 2005-02-14 02:55:30 richard Exp $
+# $Id: configuration.py,v 1.23.2.3 2005-06-24 05:28:24 richard Exp $
 #
 __docformat__ = "restructuredtext"
 
@@ -467,6 +467,14 @@ class NullableFilePathOption(NullableOption, FilePathOption):
             "by OS environment variable LANGUAGE, LC_ALL, LC_MESSAGES,\n"
             "or LANG, in that order of preference."),
     )),
+    ("web", (
+        (Option, 'http_auth', "yes",
+            "Whether to use HTTP Basic Authentication, if present.\n"
+            "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n"
+            "variables supplied by your web server (in that order).\n"
+            "Set this option to 'no' if you do not wish to use HTTP Basic\n"
+            "Authentication in your web interface."),
+    )),
     ("rdbms", (
         (Option, 'name', 'roundup',
             "Name of the database to use.",
