From 81b59aaf9b2a7378f7830edfa4064d47e2c54180 Mon Sep 17 00:00:00 2001
From: Iustin Pop <iustin@google.com>
Date: Tue, 23 Jun 2009 13:38:35 +0200
Subject: [PATCH] Fix HTTP server library handling of credentials

Currently the http library only checks credentials when authentication
is required. This means that any credentials are accepted on the root
resource, for example, which makes problems hard to diagnose - the
user/pw works for all queries, until one tries to do a modification at
which point fails.

This patch changes the PreHandleRequest() function to not ignore
credentials when passed, even if we don't require authentication. This
makes the behavior of RAPI more predictable.

Signed-off-by: Iustin Pop <iustin@google.com>
Reviewed-by: Guido Trotter <ultrotter@google.com>
---
 lib/http/auth.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/http/auth.py b/lib/http/auth.py
index b9a66a526..8a8d7201e 100644
--- a/lib/http/auth.py
+++ b/lib/http/auth.py
@@ -101,10 +101,14 @@ class HttpServerRequestAuthentication(object):
     """
     realm = self.GetAuthRealm(req)
 
-    # Authentication required?
-    if realm is None:
+    # Authentication not required, and no credentials given?
+    if realm is None and http.HTTP_AUTHORIZATION not in req.request_headers:
       return
 
+    if realm is None: # in case we don't require auth but someone
+                      # passed the crendentials anyway
+      realm = "Unspecified"
+
     # Check "Authorization" header
     if self._CheckAuthorization(req):
       # User successfully authenticated
-- 
GitLab