enabled disabling of REMOTE_USER for when it's not a valid username

[SF#1190187]

Author: Richard Jones

CHANGES.txt

@@ -16,6 +16,8 @@ Fixed:
 - fix handling of invalid interval input
 - search locale files relative ro roundup installation path (sf bug 1219689)
 - use translation for boolean property rendering (sf bug 1225152)
+- enabled disabling of REMOTE_USER for when it's not a valid username (sf
+  bug 1190187)
 
 
 2005-05-02 0.8.3

roundup/cgi/client.py

@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.213 2005-04-13 03:38:23 richard Exp $
+# $Id: client.py,v 1.214 2005-06-24 05:22:03 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -397,32 +397,33 @@ def determine_user(self):
 
         # first up, try the REMOTE_USER var (from HTTP Basic Auth handled
         # by a front-end HTTP server)
-        if self.env.has_key('REMOTE_USER'):
-            user = self.env['REMOTE_USER']
-        else:
-            user = 'anonymous'
+        use_http_auth = self.instance.config['WEB_HTTP_AUTH'] == 'yes'
+        user = 'anonymous'
+        if use_http_auth:
+            if self.env.has_key('REMOTE_USER'):
+                user = self.env['REMOTE_USER']
+            # try handling Basic Auth ourselves
+            elif self.env.get('HTTP_AUTHORIZATION', ''):
+                auth = self.env['HTTP_AUTHORIZATION']
+                scheme, challenge = auth.split(' ', 1)
+                if scheme.lower() == 'basic':
+                    try:
+                        decoded = base64.decodestring(challenge)
+                    except TypeError:
+                        # invalid challenge
+                        pass
+                    username, password = decoded.split(':')
+                    try:
+                        login = self.get_action_class('login')(self)
+                        login.verifyLogin(username, password)
+                    except LoginError, err:
+                        self.make_user_anonymous()
+                        self.response_code = 403
+                        raise Unauthorised, err
+
+                    user = username
 
-        # try handling Basic Auth ourselves
-        if (user == 'anonymous') and self.env.get('HTTP_AUTHORIZATION', ''):
-            scheme, challenge = self.env['HTTP_AUTHORIZATION'].split(' ', 1)
-            if scheme.lower() == 'basic':
-                try:
-                    decoded = base64.decodestring(challenge)
-                except TypeError:
-                    # invalid challenge
-                    pass
-                username, password = decoded.split(':')
-                try:
-                    self.get_action_class('login')(self).verifyLogin(
-                        username, password)
-                except LoginError, err:
-                    self.make_user_anonymous()
-                    self.response_code = 403
-                    raise Unauthorised, err
-
-                user = username
-
-        # look up the user session cookie (may override the REMOTE_USER)
+        # look up the user session cookie (may override the HTTP Basic Auth)
         cookie = self.cookie
         if (cookie.has_key(self.cookie_name) and
                 cookie[self.cookie_name].value != 'deleted'):

roundup/configuration.py

@@ -1,6 +1,6 @@
 # Roundup Issue Tracker configuration support
 #
-# $Id: configuration.py,v 1.25 2005-02-14 02:48:10 richard Exp $
+# $Id: configuration.py,v 1.26 2005-06-24 05:22:03 richard Exp $
 #
 __docformat__ = "restructuredtext"
 
@@ -467,6 +467,14 @@ class NullableFilePathOption(NullableOption, FilePathOption):
             "by OS environment variable LANGUAGE, LC_ALL, LC_MESSAGES,\n"
             "or LANG, in that order of preference."),
     )),
+    ("web", (
+        (Option, 'http_auth', "yes",
+            "Whether to use HTTP Basic Authentication, if present.\n"
+            "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n"
+            "variables supplied by your web server (in that order).\n"
+            "Set this option to 'no' if you do not wish to use HTTP Basic\n"
+            "Authentication in your web interface."),
+    )),
     ("rdbms", (
         (Option, 'name', 'roundup',
             "Name of the database to use.",