diff options
author | Joey Hess <joeyh@joeyh.name> | 2016-11-10 13:48:54 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2016-11-10 13:48:54 -0400 |
commit | fa5da899d5f5637a821cf8e996f7d4571464b489 (patch) | |
tree | 4144189c8ac152b1ce0af466e34aeed5310dea54 | |
parent | 0628a6a986449204cb6d847c1a6a76e5f0222984 (diff) |
webapp: Explicitly avoid checking for auth in static subsite requests.
Yesod didn't used to do auth checks for that, but this may have changed.
I don't have a way to reproduce the reported problem yet, but this change
certianly won't hurt anything.
This commit was sponsored by Thom May on Patreon.
-rw-r--r-- | CHANGELOG | 3 | ||||
-rw-r--r-- | Utility/WebApp.hs | 21 | ||||
-rw-r--r-- | doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment | 16 |
3 files changed, 32 insertions, 8 deletions
@@ -13,6 +13,9 @@ git-annex (6.20161032) UNRELEASED; urgency=medium * reinject --known: Avoid second, unncessary checksum of file. * OSX: Remove RPATHs from git-annex binary, which are not needed, slow down startup, and break the OSX Sierra linker. + * webapp: Explicitly avoid checking for auth in static subsite + requests. Yesod didn't used to do auth checks for that, but this may + have changed. -- Joey Hess <id@joeyh.name> Tue, 01 Nov 2016 14:02:06 -0400 diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs index cff5b268e..63ca33520 100644 --- a/Utility/WebApp.hs +++ b/Utility/WebApp.hs @@ -182,15 +182,20 @@ genAuthToken = do - - Note that the usual Yesod error page is bypassed on error, to avoid - possibly leaking the auth token in urls on that page! + - + - If the predicate does not match the route, the auth parameter is not + - needed. -} -checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult -checkAuthToken extractAuthToken = do - webapp <- Yesod.getYesod - req <- Yesod.getRequest - let params = Yesod.reqGetParams req - if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp) - then return Yesod.Authorized - else Yesod.sendResponseStatus unauthorized401 () +checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult +checkAuthToken extractAuthToken r predicate + | not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized + | otherwise = do + webapp <- Yesod.getYesod + req <- Yesod.getRequest + let params = Yesod.reqGetParams req + if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp) + then return Yesod.Authorized + else Yesod.sendResponseStatus unauthorized401 () {- A Yesod joinPath method, which adds an auth cgi parameter to every - url matching a predicate, containing a token extracted from the diff --git a/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment new file mode 100644 index 000000000..eb630f364 --- /dev/null +++ b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment @@ -0,0 +1,16 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 2""" + date="2016-11-10T17:30:57Z" + content=""" +I don't reproduce the problem here. From where did you install git-annex? + +This seems likely to have something to do with the version of yesod it was +built against. + +No session cookie is used; the auth token is not supposed to be needed when +accessing urls under `/static/`. Looking at the code, this was not done +explicitly; it seems to have relied on yesod not checking for authorization +for static site parts. I've committed a change, to explicitly skip auth for +`/static/` but without being able to reproduce the problem, can't test it. +"""]] |