On Thu, Apr 11, 2013 at 01:19:19AM +0200, Magnus Therning wrote:

> Nope.  I'm pretty sure this had *nothing* to do with my config.  This
> is the original config, which doesn't work:
> $HTTP["url"] =~ "^/git" {
>     cgi.assign = ( "" => "" )
>     setenv.add-environment = (
>         "GIT_PROJECT_ROOT" => "/srv/git",
>         "GIT_HTTP_EXPORT_ALL" => ""
>     )
>     $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
>         include "trac-git-auth.conf"
>     }
> }

Ah, I think I see what it is.

Did you turn on http.receivepack in the git config to enable pushing?
>From "git help http-backend":

  By default, only the upload-pack service is enabled, which serves git
  fetch-pack and git ls-remote clients, which are invoked from git
  fetch, git pull, and git clone. If the client is authenticated, the
  receive-pack service is enabled, which serves git send-pack clients,
  which is invoked from git push.


      This serves git send-pack clients, allowing push. It is disabled
      by default for anonymous users, and enabled by default for users
      authenticated by the web server. It can be disabled by setting
      this item to false, or enabled for all users, including anonymous
      users, by setting it to true.

If there is no authentication happening for the initial service-request,
then the default http.receivepack kicks in, which is to turn pushing
off (because there is no authenticated user).

When you do this;

> $HTTP["querystring"] =~ "service=git-receive-pack" {
>     $HTTP["url"] =~ "^/git" {
>         cgi.assign = ( "" => "" )
>         setenv.add-environment = (
>             "GIT_PROJECT_ROOT" => "/srv/git",
>             "GIT_HTTP_EXPORT_ALL" => ""
>         )
>         include "trac-git-auth.conf"
>     }

Then you are asking for authentication earlier (on the first request),
and the default behavior is to allow the push.

The documentation should probably make the use of http.receivepack more
clear in this situation.

> > However, even before the fix, it never got a 403 on the GET of
> > info/refs. It got a 401 on the later POST, but didn't prompt for
> > credentials.
> I know nothing about CGI, but surely the script signals the need for a
> valid user to the server somehow, couldn't the web server then decide
> to return 403 rather than 401 *if there's no configuration for
> authentication*?

I think that series is a red herring. It did not affect the server-side
at all, but was a fix for the _client_ to handle the 401 it should
receive in that situation. But your server was generating a 403, for
different reasons.

So _if_ you fixed it by setting http.receivepack (which I think is the
simplest thing under Apache, since matching the query string there is
hard), then you would need a version of git with that fix on the
client side to actually have git prompt for the password correctly.

But your fix under lighttpd is much better, as it asks for the
credentials up front (which means the client does not go to any work
creating a packfile just to find out that it does not have access).

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to