changeset 6089:dfbc455e2c46

new setting xmlrpc_overwrite_user to control behaviour of xmlrpc code respective to user authentication
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Fri, 09 Jan 2015 20:17:10 +0100
parents 371fb8e44d41
children 01e4a21a5d1d 9f12f41504fc
files MoinMoin/config/multiconfig.py MoinMoin/xmlrpc/__init__.py docs/CHANGES
diffstat 3 files changed, 12 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Thu Nov 13 11:21:51 2014 +0100
+++ b/MoinMoin/config/multiconfig.py	Fri Jan 09 20:17:10 2015 +0100
@@ -1169,6 +1169,7 @@
     ('search_results_per_page', 25, "Number of hits shown per page in the search results"),
 
     ('siteid', 'default', None),
+    ('xmlrpc_overwrite_user', True, "Overwrite authenticated user at start of xmlrpc code"),
   )),
 }
 
--- a/MoinMoin/xmlrpc/__init__.py	Thu Nov 13 11:21:51 2014 +0100
+++ b/MoinMoin/xmlrpc/__init__.py	Fri Jan 09 20:17:10 2015 +0100
@@ -132,7 +132,8 @@
             else:
                 # overwrite any user there might be, if you need a valid user for
                 # xmlrpc, you have to use multicall and getAuthToken / applyAuthToken
-                request.user = user.User(request, auth_method='xmlrpc:invalid')
+                if request.cfg.xmlrpc_overwrite_user:
+                    request.user = user.User(request, auth_method='xmlrpc:invalid')
 
                 data = request.read()
 
--- a/docs/CHANGES	Thu Nov 13 11:21:51 2014 +0100
+++ b/docs/CHANGES	Fri Jan 09 20:17:10 2015 +0100
@@ -16,7 +16,7 @@
     editor_force = True
     editor_default = 'text'  # internal default, just for completeness
 
-Version 1.9.8:
+Version <not released yet>:
   SECURITY HINT: make sure you have allow_xslt = False (or just do not use
   allow_xslt at all in your wiki configs, False is the internal default).
   Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
@@ -24,6 +24,14 @@
   HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
 
   New features:
+  * cfg.xmlrpc_overwrite_user is a new setting to control whether the xmlrpc
+    code overwrites an already authenticated user before processing a request.
+    True (default): behaviour as in 1.9.8 and before
+    False: use this if you want to use GivenAuth (e.g. http basic auth) for
+           xmlrpc requests.
+
+Version 1.9.8:
+  New features:
   * cfg.recovery_token_lifetime to determine how long the password recovery
     token will be valid, default is 12 [h]. Check this setting to be adequate
     before doing (global) password resets, so your users have enough time to