| Issue 2595: | Add ability for anonymous users to be prompted for credentials on gitweb. | |
| 1 person starred this issue and may be notified of changes. | Back to list |
************************************************************ ***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW ***** ***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL ***** ***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC. ***** ***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS! ***** ************************************************************ Affected Version: What steps will reproduce the problem? 1. creat a project foo with no anonymous access 2. login to gerrit and navigate to gitweb for that project https://server/gitweb?p=foo.git;a=summary 3. verify the link works 4. return to gerrit and logot 5. navigate to https://server/gitweb?p=foo.git;a=summary What is the expected output? What do you see instead? I expect to be prompted for credentials what I get is a 404 page. Please provide any additional information below. this is correctly to prevent informmation leaking (about projects that exist). However Gerrit itself does not prevent this leakage when cloning a project. It should also be possible to prompt for authentication regardless of if the project (resource) existed or not - thereby providing this functionality without any information leak. That is you should only send a 404 for authenticated users. anonymous requests for https://server/gitweb?p=doesnotexists.git;a=summary should also result in a http 401 status code.
Apr 8, 2014
Project Member
#1
david.pu...@sonymobile.com
Status:
ChangeUnderReview
Jun 23, 2014
(No comment was entered for this change.)
Labels:
FixedIn-2.10
Oct 8, 2014
(No comment was entered for this change.)
Status:
Submitted
Jan 27, 2015
(No comment was entered for this change.)
Status:
Released
|
|
| ► Sign in to add a comment |