Review Board authenticates against a Perforce server using a single login.
It does not and cannot use the user's login information. We store the user's
password using a standard encryption method that is one-way, meaning we have
no idea what the user's password is and thus cannot use it for a login.

In some cases, there's not even a logged in user. If you have anonymous
access to the Review Board server, then we couldn't use that active user's
login information.

One might say then that if we *could* use the login information from a user,
then why not use the submitter of the review request as the source of that
information? Well that works until the submitter leaves the company or has
his account otherwise deactivated. Now there's no user to authenticate with
and nobody can see the diffs for that review request.

All this assumes of course that your Perforce user accounts and your Review
Board user accounts are the same. That may not always be the case, and it
certainly won't be for many of our other SCMs. Special-casing Perforce in
this way is both confusing and limiting.

Review Board uses the specified login information any time it needs to fetch
a file from the server for displaying a diff (unless that file exists in the
server cache). In the future it may be used for browsing repositories.

Because fetching the file may happen at any time, we can't just send and use
the same password the user used with post-review. The file may be generated
any time after the post-review call. post-review uses cookies to keep
session state anyway, meaning that the last time you logged in with
post-review may be months ago, and that password is not stored anywhere.

*Any* user can be specified for this as long as it has full read access to
that repository. You can use a dedicated account, or some user's account
(such as the Review Board administrator).

I hope that helps clear things up. This would be a good entry for the FAQ.


Christian Hammond - chip...@chipx86.com
Review Board - http://www.review-board.org
VMware, Inc. - http://www.vmware.com

On Sun, Sep 13, 2009 at 11:56 PM, gauri.khandekar <gauri.khande...@gmail.com
> wrote:

> Hi
> I have a working setup of Reviewboard.
> I am using  Perforce.
> The user accounts  that I created on ReviewBoard have same "login-
> name" and password as user's perforce account.
> My questions :
> 1. Why do  I need to specify a perforce login/password (or ticket)
> while adding repositories in the Admin tool.
> 2. How and when does the Reviewboard uses the account/password that I
> specify while adding repository ?
> 3. Why can't  Reviewboard use the same login/password as the user's.
> (the post-review script thats runs from client has the password, why
> can that be used)
> >

You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To post to this group, send email to reviewboard@googlegroups.com
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to