Page MenuHomePhabricator

Repositories requiring authentication does not prompt for auth details over http if "policy.allow-public" is true
Closed, DuplicatePublic


If you set policy.allow-public to true and force a repositories visibility to less than public you get a 404 response code instead of a 401 which prompts for auth details in git/mercurial.
You hit this:;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$102
instead of this which you hit without policy.allow-public:;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$87
In other words, it seems that the repository fetch never throws the appropriate policy exception.

Event Timeline

mikn raised the priority of this task from to Needs Triage.
mikn updated the task description. (Show Details)
mikn added projects: Repositories, Diffusion.
mikn added a subscriber: mikn.

If you set non public and you do a:

git -c core.askpass=true ls-remote -h  ...

you get a 403

For what it's worth, I can only recreate this issue if I use Spaces (which T8798 already mentioned). I'm on the latest stable (rP535c1a5f255e0da69ea5fbfb230b699eb5a152b1) with a dummy git repo set to project member visibility, and I tried cloning the dummy repo under the following conditions:

No spacesCloned successfullyCloned successfully
Created Default space with Public visibilityCloned successfullyCloned successfully
Changed Default space to All Users visibilityRepository not foundCloned successfully
Shifted repo to a second space that had Public visibilityCloned successfullyCloned successfully
Changed second space to All Users visibilityRepository not foundCloned successfully

Basically, iff policy.allow-public is true AND my repo is in a non-public space, then I can't clone the repo over HTTP(S). Unlike what @mikn originally described, though, I don't have any trouble when the repository itself has non-public visibility; it's only when it's in a non-public space.

This is expected with Spaces, which completely hide objects (primarily as a performance consideration). I'm going to merge this into T9771 which discusses this issue more broadly.