On Tuesday 2010-07-06 10:37, Thomas Schmidt wrote:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
Maybe it would be a good idea if the osc client always sends the authentication header by default?
I think so too, yes. That is what "most" other SCMs do. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org