Re: git-http-backend: anonymous read, authenticated write

[Jeff King <peff@peff.net>]

On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote:

> >   1. GET $repo/info/refs?service=git-receive-pack
> > 
> >      This makes initial contact and gets the ref information which push
> >      uses to decide what it is going to push. So it is read-only, and in
> >      an anonymous-read setup, does not need to be protected.
> 
> Yes, it doesn't need to be protected, but *git-receive-pack* requires
> (or required) valid user even for above GET request for getting refs.

Right. But that is not anything receive-pack is doing; it is up to his
webserver config, which is why I asked to see it.

> >   2. POST $repo/git-receive-pack
> > 
> >      This actually pushes up the objects and updates the refs, and
> >      must be protected.
> > 
> > The setup listed above does work with apache; it is tested as part of
> > our test suite (you can see the actual config in t/lib-httpd/apache.conf).
> > So what in lighttpd is giving us the 403? Can you share your whole
> > config?
> 
> I think I have seen a patch on git mailing list to correct this, but
> I am not sure.
> 
> Are you sure that we test this correctly?

Perhaps you are thinking of the jk/maint-http-half-auth-push topic from
last August/September. It explicitly tests the setup from the manpage.
The relevant commits are 4c71009 (t: test http access to "half-auth"
repositories, 2012-08-27) which demonstrates the problem, and b81401c
(http: prompt for credentials on failed POST, 2012-08-27).

However, even before the fix, it never got a 403 on the GET of
info/refs. It got a 401 on the later POST, but didn't prompt for
credentials.

-Peff