You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2022/02/18 19:38:03 UTC
[allura] branch master updated (4fb7a6a -> 57eae8c)
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git.
from 4fb7a6a [#8411] specify higher docker-compose version file
new b438b66 Avoid extra redirect for /p/foo => /p/foo/ since the latter will do its own redir anyway
new 549d0ee 301 instead of 302 for http/https redirects
new 57eae8c Remove old force_ssl.logged_in config, which is the only situation a 302 Found would've been appropriate for http/https redirects
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
Allura/allura/config/middleware.py | 3 +--
Allura/allura/controllers/project.py | 9 ++-------
Allura/allura/controllers/root.py | 2 --
Allura/allura/lib/custom_middleware.py | 11 ++++-------
Allura/allura/lib/plugin.py | 6 ------
Allura/allura/tests/functional/test_root.py | 1 +
Allura/development.ini | 7 +------
CHANGES | 2 ++
ForgeActivity/forgeactivity/tests/functional/test_root.py | 2 +-
9 files changed, 12 insertions(+), 31 deletions(-)
[allura] 01/03: Avoid extra redirect for /p/foo => /p/foo/ since the latter will do its own redir anyway
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
commit b438b6607ff92c7e92416652886ee45ea783c1ac
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri Feb 18 13:38:51 2022 -0500
Avoid extra redirect for /p/foo => /p/foo/ since the latter will do its own redir anyway
---
Allura/allura/controllers/project.py | 9 ++-------
ForgeActivity/forgeactivity/tests/functional/test_root.py | 2 +-
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/Allura/allura/controllers/project.py b/Allura/allura/controllers/project.py
index d8593af..6de75c3 100644
--- a/Allura/allura/controllers/project.py
+++ b/Allura/allura/controllers/project.py
@@ -397,19 +397,14 @@ class ProjectController(FeedController):
require_access(c.project, 'read')
@expose()
- @with_trailing_slash
def index(self, **kw):
mount, app = c.project.first_mount_visible(c.user)
- activity_enabled = asbool(config.get('activitystream.enabled', False))
if mount is not None:
if hasattr(app, 'default_redirect'):
app.default_redirect()
- if 'ac' in mount:
- redirect(mount['ac'].options.mount_point + '/')
- elif 'sub' in mount:
- redirect(mount['sub'].url())
+ redirect(app.url() if callable(app.url) else app.url) # Application has property; Subproject has method
else:
- redirect(c.project.app_configs[0].options.mount_point + '/')
+ redirect(c.project.app_configs[0].url())
def get_feed(self, project, app, user):
"""Return a :class:`allura.controllers.feed.FeedArgs` object describing
diff --git a/ForgeActivity/forgeactivity/tests/functional/test_root.py b/ForgeActivity/forgeactivity/tests/functional/test_root.py
index 9963972..6b9a057 100644
--- a/ForgeActivity/forgeactivity/tests/functional/test_root.py
+++ b/ForgeActivity/forgeactivity/tests/functional/test_root.py
@@ -57,7 +57,7 @@ class TestActivityController(TestController):
@td.with_user_project('test-user-1')
def test_anon_read(self):
r = self.app.get('/u/test-user-1',
- extra_environ={'username': str('*anonymous')}).follow().follow()
+ extra_environ={'username': str('*anonymous')}).follow()
assert r.html.select('div.profile-section.tools a[href="/u/test-user-1/activity/"]'),\
'No Activity tool in top nav'
[allura] 03/03: Remove old force_ssl.logged_in config, which is the only situation a 302 Found would've been appropriate for http/https redirects
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 57eae8cd97880b61af0f471f4b875a339d942899
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri Feb 18 14:05:26 2022 -0500
Remove old force_ssl.logged_in config, which is the only situation a 302 Found would've been appropriate for http/https redirects
---
Allura/allura/config/middleware.py | 3 +--
Allura/allura/controllers/root.py | 2 --
Allura/allura/lib/custom_middleware.py | 7 ++-----
Allura/allura/lib/plugin.py | 6 ------
Allura/development.ini | 7 +------
CHANGES | 2 ++
6 files changed, 6 insertions(+), 21 deletions(-)
diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py
index 458cb3b..b81c388 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -169,8 +169,7 @@ def _make_core_app(root, global_conf, full_stack=True, **app_conf):
# Ensure http and https used per config
if config.get('override_root') != 'task':
app = SSLMiddleware(app, app_conf.get('no_redirect.pattern'),
- app_conf.get('force_ssl.pattern'),
- app_conf.get('force_ssl.logged_in'))
+ app_conf.get('force_ssl.pattern'))
# Setup resource manager, widget context SOP
app = ew.WidgetMiddleware(
app,
diff --git a/Allura/allura/controllers/root.py b/Allura/allura/controllers/root.py
index c9092b3..c3a928a 100644
--- a/Allura/allura/controllers/root.py
+++ b/Allura/allura/controllers/root.py
@@ -107,8 +107,6 @@ class RootController(WsgiDispatchController):
'Did you run `paster setup-app` to create the database?')
if not c.user.is_anonymous():
c.user.track_active(request)
- if asbool(config.get('force_ssl.logged_in')):
- session.secure = True
# Make sure the page really isn't cached (not accessible by back button, etc)
# pylons.configuration defaults to "no-cache" only.
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 31e7200..4bd6736 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -230,7 +230,7 @@ class SSLMiddleware(object):
'Verify the https/http schema is correct'
- def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None, force_ssl_logged_in=False):
+ def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None):
self.app = app
if no_redirect_pattern:
self._no_redirect_re = re.compile(no_redirect_pattern)
@@ -240,7 +240,6 @@ class SSLMiddleware(object):
self._force_ssl_re = re.compile(force_ssl_pattern)
else:
self._force_ssl_re = re.compile('$$$')
- self._force_ssl_logged_in = force_ssl_logged_in
def __call__(self, environ, start_response):
req = Request(environ)
@@ -256,9 +255,7 @@ class SSLMiddleware(object):
else:
secure = req.url.startswith('https://')
srv_path = req.url.split('://', 1)[-1]
- # allura-loggedin is a non-secure cookie as a flag to know that the user has a session over on https
- force_ssl = (self._force_ssl_logged_in and req.cookies.get('allura-loggedin')) \
- or self._force_ssl_re.match(environ['PATH_INFO'])
+ force_ssl = self._force_ssl_re.match(environ['PATH_INFO'])
if req.environ.get('tg.original_request'):
# if an error occurs, then /error/document is fetched (denoted by tg.original_request)
# and we don't want to do any redirects within that sub-request
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 20d2ef7..75071cd 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -223,11 +223,6 @@ class AuthenticationProvider(object):
g.statsUpdater.addUserLogin(user)
user.add_login_detail(login_details)
user.track_login(self.request)
- # set a non-secure cookie with same expiration as session,
- # so an http request can know if there is a related session on https
- response.set_cookie('allura-loggedin', value='true',
- expires=None if self.session['login_expires'] is True else self.session['login_expires'],
- secure=False, httponly=True)
return user
def login_check_password_change_needed(self, user, password, login_details):
@@ -263,7 +258,6 @@ class AuthenticationProvider(object):
def logout(self):
self.session.invalidate()
self.session.save()
- response.delete_cookie('allura-loggedin')
response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure)
def validate_password(self, user, password):
diff --git a/Allura/development.ini b/Allura/development.ini
index eb024f8..d7ff83e 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -111,7 +111,7 @@ jinja_cache_size = -1
beaker.session.key = allura
beaker.session.type = cookie
beaker.session.httponly = true
-; set this to true if you use HTTPS. If you use force_ssl.logged_in, this will be set automatically when logged in and not when not.
+; set this to true if you use HTTPS
beaker.session.secure = false
; CHANGE THIS VALUE FOR YOUR SITE
beaker.session.validate_key = 714bfe3612c42390726f
@@ -313,11 +313,6 @@ webhook.repo_push.max_hooks = {"git": 3, "hg": 3, "svn": 3}
; To make all pages use ssl: (also set beaker.session.secure above)
;force_ssl.pattern = .
-; To use ssl if and only if a user is logged in:
-;force_ssl.logged_in = true
-; If you set force_ssl.logged_in, you probably want some URLs to be ssl when logged out:
-; (import_project uses a login overlay)
-;force_ssl.pattern = ^/auth|^/[a-z0-9-]+/import_project/
; And to permit some URLs to be accessed over http anyway:
; /_test_vars is used when running `paster shell`
;no_redirect.pattern = ^/nf/\d+/_(ew|static)_/|^/rest/|^/nf/tool_icon_css|^/auth/refresh_repo|^/_test_vars
diff --git a/CHANGES b/CHANGES
index 3cf2136..2f8b6a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,8 @@ Breaking Changes
Either set the LOCAL_SHARED_DATA_ROOT env variable to /allura-data or change
the value in the local `.env` file (or move your /allura-data to
./allura-data).
+ * Remove the `force_ssl.logged_in` config option. It is recommended to use https for
+ all visitors, whether logged in or not.
Version 1.13.0 (May 2021)
[allura] 02/03: 301 instead of 302 for http/https redirects
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 549d0ee483140a23a4d31f36dd8d4efa67c8c6fc
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Fri Feb 18 13:54:12 2022 -0500
301 instead of 302 for http/https redirects
---
Allura/allura/lib/custom_middleware.py | 4 ++--
Allura/allura/tests/functional/test_root.py | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 25b31bf..31e7200 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -264,9 +264,9 @@ class SSLMiddleware(object):
# and we don't want to do any redirects within that sub-request
pass
elif not secure and force_ssl:
- resp = exc.HTTPFound(location='https://' + srv_path)
+ resp = exc.HTTPMovedPermanently(location='https://' + srv_path)
elif secure and not force_ssl:
- resp = exc.HTTPFound(location='http://' + srv_path)
+ resp = exc.HTTPMovedPermanently(location='http://' + srv_path)
if not resp:
resp = self.app
return resp(environ, start_response)
diff --git a/Allura/allura/tests/functional/test_root.py b/Allura/allura/tests/functional/test_root.py
index 31efd55..8804397 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -206,4 +206,5 @@ class TestRootWithSSLPattern(TestController):
extra_environ={'wsgi.url_scheme': str('https')},
status=404)
assert '302 Found' not in r.text, r.text
+ assert '301 Moved Permanently' not in r.text, r.text
assert '/error/document' not in r.text, r.text