Page MenuHomePhabricator

Repositories requiring authentication does not prompt for auth details over http if "policy.allow-public" is true
Closed, DuplicatePublic

Description

If you set policy.allow-public to true and force a repositories visibility to less than public you get a 404 response code instead of a 401 which prompts for auth details in git/mercurial.
You hit this: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$102
instead of this which you hit without policy.allow-public: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$87
In other words, it seems that the repository fetch never throws the appropriate policy exception.

Event Timeline

mikn created this task.May 14 2014, 8:34 AM
mikn raised the priority of this task from to Needs Triage.
mikn updated the task description. (Show Details)
mikn added projects: Repositories, Diffusion.
mikn added a subscriber: mikn.

If you set non public and you do a:

git -c core.askpass=true ls-remote -h  ...

you get a 403

For what it's worth, I can only recreate this issue if I use Spaces (which T8798 already mentioned). I'm on the latest stable (rP535c1a5f255e0da69ea5fbfb230b699eb5a152b1) with a dummy git repo set to project member visibility, and I tried cloning the dummy repo under the following conditions:

policy.allow-public==truepolicy.allow-public==false
No spacesCloned successfullyCloned successfully
Created Default space with Public visibilityCloned successfullyCloned successfully
Changed Default space to All Users visibilityRepository not foundCloned successfully
Shifted repo to a second space that had Public visibilityCloned successfullyCloned successfully
Changed second space to All Users visibilityRepository not foundCloned successfully

Basically, iff policy.allow-public is true AND my repo is in a non-public space, then I can't clone the repo over HTTP(S). Unlike what @mikn originally described, though, I don't have any trouble when the repository itself has non-public visibility; it's only when it's in a non-public space.

This is expected with Spaces, which completely hide objects (primarily as a performance consideration). I'm going to merge this into T9771 which discusses this issue more broadly.