Page MenuHomePhabricator
Create Task
Maniphest T5046

Repositories requiring authentication does not prompt for auth details over http if "policy.allow-public" is true
Closed, DuplicatePublic
Actions

Description

If you set policy.allow-public to true and force a repositories visibility to less than public you get a 404 response code instead of a 401 which prompts for auth details in git/mercurial.
You hit this: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$102
instead of this which you hit without policy.allow-public: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$87
In other words, it seems that the repository fetch never throws the appropriate policy exception.

Related Objects

Event Timeline

mikn created this task.May 14 2014, 8:34 AM
mikn raised the priority of this task from to Needs Triage.
mikn updated the task description. (Show Details)
mikn added projects: Repositories, Diffusion.
mikn added a subscriber: mikn.
chad removed a project: Repositories.Jan 16 2015, 4:30 PM
easyrasta mentioned this in T8798: Spaces - diffusion - http authentication.Jul 8 2015, 12:49 PM
epriestley merged a task: T8798: Spaces - diffusion - http authentication.Jul 8 2015, 1:43 PM
epriestley added subscribers: epriestley, easyrasta.
easyrasta added a comment.Jul 8 2015, 2:56 PM

If you set non public and you do a:

git -c core.askpass=true ls-remote -h  ...

you get a 403

ephemeris added a subscriber: ephemeris.Jul 28 2015, 2:30 PM
ephemeris added a comment.Jul 28 2015, 7:30 PM

For what it's worth, I can only recreate this issue if I use Spaces (which T8798 already mentioned). I'm on the latest stable (rP535c1a5f255e0da69ea5fbfb230b699eb5a152b1) with a dummy git repo set to project member visibility, and I tried cloning the dummy repo under the following conditions:

policy.allow-public==truepolicy.allow-public==false
No spacesCloned successfullyCloned successfully
Created Default space with Public visibilityCloned successfullyCloned successfully
Changed Default space to All Users visibilityRepository not foundCloned successfully
Shifted repo to a second space that had Public visibilityCloned successfullyCloned successfully
Changed second space to All Users visibilityRepository not foundCloned successfully

Basically, iff policy.allow-public is true AND my repo is in a non-public space, then I can't clone the repo over HTTP(S). Unlike what @mikn originally described, though, I don't have any trouble when the repository itself has non-public visibility; it's only when it's in a non-public space.

stwalkerster added a subscriber: stwalkerster.Nov 28 2015, 12:09 AM
epriestley added a comment.Jan 5 2016, 9:12 PM

This is expected with Spaces, which completely hide objects (primarily as a performance consideration). I'm going to merge this into T9771 which discusses this issue more broadly.

epriestley closed this task as a duplicate of T9771: Objects which are restricted because of Spaces render as "Unknown" instead of "Restricted".Jan 5 2016, 9:12 PM
epriestley mentioned this in T9771: Objects which are restricted because of Spaces render as "Unknown" instead of "Restricted".
Phabricator · Built by Phacility