Accessing changeset with basic authentication

[Douglas José]

Hi,

I would like to integrate an issue tracker (Mantis) with RhodeCode and need to access the changeset information of a password-protected repository. I'm not having success using an URL with basic authentication (in the format "https://<username>:<password>@server"). Is there an alternative way to access the information I need?

Thank you,

Douglas

[Marcin Kuzminski]

Hi, yes you can enable API access for each web view in rhodecode. please see this: https://secure.rhodecode.org/rhodecode/files/f2bd5b0c10949e6d8467d3b377cf197024fc77b8/docs/api/api.rst#L13-20

Also you might be intereseted in: https://bitbucket.org/tcplomp/rhodecode-connector-for-mantis

Cheers

[Douglas José]

Hi Marcin,

This is exactly the plugin I would like to use. Sorry if I'm not
familiar with Python enough to do this change, but as the plugin will
make a request to /raw-changeset, is it enough to add
@LoginRequired(api_access=True) to the changeset.py file and then
restart RhodeCode?

Thank you,

Douglas

--
Douglas Jose
http://douglasjose.com

- "Use free software. Help us make a free world."

[Marcin Kuzminski]

Hi,

You need to change this. https://secure.rhodecode.org/rhodecode/files/1ff606a7858dbd8a5f70b3da5cc89524bd0d84f9/rhodecode/controllers/changeset.py#L49

But beware It will enable api access to all funcitons in that controller, if you want to just enable it for raw-changes you must move the @LoginRequired from __before__ method into each controller function and enable
api access just for https://secure.rhodecode.org/rhodecode/files/1ff606a7858dbd8a5f70b3da5cc89524bd0d84f9/rhodecode/controllers/changeset.py#L197

[Thirumalai Kandasami]

Hi,

I used this plugin https://bitbucket.org/tcplomp/rhodecode-connector-for-mantis for integrating Rhodecode with Mantis.
It's working fine for public repositories but for private repositories I don't know how to proceed?

As Marcin Kuzminski mentioned in previous post "if you want to just enable it for raw-changes you must move the @LoginRequired from __before__ method into each controller function and enable

api access just for https://secure.rhodecode.org/rhodecode/files/1ff606a7858dbd8a5f70b3da5cc89524bd0d84f9/rhodecode/controllers/changeset.py#L197"

This is exactly what I want but unfortunately I'm unable to understand anything in this code.I'm zero in programming.Do you have any sample?
Can you please help me?

Thanks,
Thirumalai.

[Thirumalai Kandasami]

Hi,

I changed my  changeset.py file as @LoginRequired(api_access=

True) and after that I tried to login with,
http://URL?api_key=a2e0a74548aee6d30a56218910973da788761bbd
but it redirected me to login page,

http://url/_admin/login?came_from=%2F

In log I got error,

2012-07-05 13:56:46.367 INFO  [rhodecode.lib.base] User: <AuthUser('id:2:thirumalai|None')> accessed /
2012-07-05 13:56:46.367 WARNI [rhodecode.lib.auth] user <AuthUser('id:2:thirumalai|None')> NOT authenticated on func: HomeController:__before__
2012-07-05 13:56:46.370 INFO  [rhodecode.lib.base] Request to / time: 0.067s

Now I'm In checking HomeController,,

Thanks,
Thirumalai

[Marcin Kuzminski]

Hi,

That should work, did you restart the server after that change ?

[Thirumalai Kandasami]

Hi Marcin,

Sorry for my late reply.

I commented container_auth_enabled = false and proxypass_auth_enabled = false in production.ini.After that,I tried with restart but it was not working.Later I noticed I'm trying to list all repositories.So I tried with display changeset alone(API) and it worked fine.

I tried the same with Mantis integration but it was not working.Fine,I did the following in Rhodecode.

1.Removed private repository access
2.Removed anonymous access
3.Added read option for default.


After this configuration I tried to pull repository from Mantis and it worked fine.I surprised and I don't know,How it was worked without any password.
I tried to verify manually with default:default but it was not working..

How mantis can able to connect rhodecode without any username/password??Now I'm breaking my hand to know the root cause.
Can you help me?

My objective is,Rhodecode private repository need to connect with Mantis.

Thanks,
Thirumalai.

[Ton]

Let me chime in.

If you can access the page http://$server$/$repository$/raw-changeset/tip without logging in (perhaps clear your cache), then you have enough access to get the info into Mantis.

Ton

Op dinsdag 17 januari 2012 22:07:02 UTC+1 schreef Douglas José het volgende:

[Thirumalai Kandasami]

Hi Ton,

Thanks for your quick reply.

I'm able to access page http://$server$/$repository$/raw-changeset/tip without logging in.Yes,mantis is working fine but I want to make sure,Will it lead to any security flow?.I mean,anyone can able to access my repository without permission?

Thanks,
Thirumalai.

[Ton]

If you were able to see that page you could say that anyone can see that information.

Ton

Op maandag 9 juli 2012 09:31:50 UTC+2 schreef Thirumalai Kandasami het volgende:

[Marcin Kuzminski]

Hi,

Well if no-one will steal the api_key then you're pretty safe i guess.

You can always make IP restrictions on certain url, for extra security layer.

[Ton]

I extended the Mantis plugin to insert API-keys

See http://tononlabview.blogspot.nl/2012/09/using-private-rhodecode-repositories.html

Op maandag 9 juli 2012 13:08:00 UTC+2 schreef Marcin Kuzminski het volgende:

[Marcin Kuzminski]

Thanks Ton for this article !