This is an automated email from the ASF dual-hosted git repository. kentontaylor pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit 57eae8cd97880b61af0f471f4b875a339d942899 Author: Dave Brondsema <[email protected]> AuthorDate: Fri Feb 18 14:05:26 2022 -0500 Remove old force_ssl.logged_in config, which is the only situation a 302 Found would've been appropriate for http/https redirects --- Allura/allura/config/middleware.py | 3 +-- Allura/allura/controllers/root.py | 2 -- Allura/allura/lib/custom_middleware.py | 7 ++----- Allura/allura/lib/plugin.py | 6 ------ Allura/development.ini | 7 +------ CHANGES | 2 ++ 6 files changed, 6 insertions(+), 21 deletions(-) diff --git a/Allura/allura/config/middleware.py b/Allura/allura/config/middleware.py index 458cb3b..b81c388 100644 --- a/Allura/allura/config/middleware.py +++ b/Allura/allura/config/middleware.py @@ -169,8 +169,7 @@ def _make_core_app(root, global_conf, full_stack=True, **app_conf): # Ensure http and https used per config if config.get('override_root') != 'task': app = SSLMiddleware(app, app_conf.get('no_redirect.pattern'), - app_conf.get('force_ssl.pattern'), - app_conf.get('force_ssl.logged_in')) + app_conf.get('force_ssl.pattern')) # Setup resource manager, widget context SOP app = ew.WidgetMiddleware( app, diff --git a/Allura/allura/controllers/root.py b/Allura/allura/controllers/root.py index c9092b3..c3a928a 100644 --- a/Allura/allura/controllers/root.py +++ b/Allura/allura/controllers/root.py @@ -107,8 +107,6 @@ class RootController(WsgiDispatchController): 'Did you run `paster setup-app` to create the database?') if not c.user.is_anonymous(): c.user.track_active(request) - if asbool(config.get('force_ssl.logged_in')): - session.secure = True # Make sure the page really isn't cached (not accessible by back button, etc) # pylons.configuration defaults to "no-cache" only. diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 31e7200..4bd6736 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -230,7 +230,7 @@ class SSLMiddleware(object): 'Verify the https/http schema is correct' - def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None, force_ssl_logged_in=False): + def __init__(self, app, no_redirect_pattern=None, force_ssl_pattern=None): self.app = app if no_redirect_pattern: self._no_redirect_re = re.compile(no_redirect_pattern) @@ -240,7 +240,6 @@ class SSLMiddleware(object): self._force_ssl_re = re.compile(force_ssl_pattern) else: self._force_ssl_re = re.compile('$$$') - self._force_ssl_logged_in = force_ssl_logged_in def __call__(self, environ, start_response): req = Request(environ) @@ -256,9 +255,7 @@ class SSLMiddleware(object): else: secure = req.url.startswith('https://') srv_path = req.url.split('://', 1)[-1] - # allura-loggedin is a non-secure cookie as a flag to know that the user has a session over on https - force_ssl = (self._force_ssl_logged_in and req.cookies.get('allura-loggedin')) \ - or self._force_ssl_re.match(environ['PATH_INFO']) + force_ssl = self._force_ssl_re.match(environ['PATH_INFO']) if req.environ.get('tg.original_request'): # if an error occurs, then /error/document is fetched (denoted by tg.original_request) # and we don't want to do any redirects within that sub-request diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py index 20d2ef7..75071cd 100644 --- a/Allura/allura/lib/plugin.py +++ b/Allura/allura/lib/plugin.py @@ -223,11 +223,6 @@ class AuthenticationProvider(object): g.statsUpdater.addUserLogin(user) user.add_login_detail(login_details) user.track_login(self.request) - # set a non-secure cookie with same expiration as session, - # so an http request can know if there is a related session on https - response.set_cookie('allura-loggedin', value='true', - expires=None if self.session['login_expires'] is True else self.session['login_expires'], - secure=False, httponly=True) return user def login_check_password_change_needed(self, user, password, login_details): @@ -263,7 +258,6 @@ class AuthenticationProvider(object): def logout(self): self.session.invalidate() self.session.save() - response.delete_cookie('allura-loggedin') response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure) def validate_password(self, user, password): diff --git a/Allura/development.ini b/Allura/development.ini index eb024f8..d7ff83e 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -111,7 +111,7 @@ jinja_cache_size = -1 beaker.session.key = allura beaker.session.type = cookie beaker.session.httponly = true -; set this to true if you use HTTPS. If you use force_ssl.logged_in, this will be set automatically when logged in and not when not. +; set this to true if you use HTTPS beaker.session.secure = false ; CHANGE THIS VALUE FOR YOUR SITE beaker.session.validate_key = 714bfe3612c42390726f @@ -313,11 +313,6 @@ webhook.repo_push.max_hooks = {"git": 3, "hg": 3, "svn": 3} ; To make all pages use ssl: (also set beaker.session.secure above) ;force_ssl.pattern = . -; To use ssl if and only if a user is logged in: -;force_ssl.logged_in = true -; If you set force_ssl.logged_in, you probably want some URLs to be ssl when logged out: -; (import_project uses a login overlay) -;force_ssl.pattern = ^/auth|^/[a-z0-9-]+/import_project/ ; And to permit some URLs to be accessed over http anyway: ; /_test_vars is used when running `paster shell` ;no_redirect.pattern = ^/nf/\d+/_(ew|static)_/|^/rest/|^/nf/tool_icon_css|^/auth/refresh_repo|^/_test_vars diff --git a/CHANGES b/CHANGES index 3cf2136..2f8b6a0 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,8 @@ Breaking Changes Either set the LOCAL_SHARED_DATA_ROOT env variable to /allura-data or change the value in the local `.env` file (or move your /allura-data to ./allura-data). + * Remove the `force_ssl.logged_in` config option. It is recommended to use https for + all visitors, whether logged in or not. Version 1.13.0 (May 2021)
