amartel
commented
11 years ago What's wrong with my RedmineAdvanced.pm module and what correction has been made in this other implementation??
Closed cforce closed 11 years ago
amartel
commented
11 years ago What's wrong with my RedmineAdvanced.pm module and what correction has been made in this other implementation??
cforce
commented
11 years ago At least the Expiration delay is a nice feature
amartel
commented
11 years ago Maybe but I already have an expiration delay and I used a fixed value, 5 seconds, because this produced a good balance between security and performances... I'm not sure there is a real need to have delay in configuration settings as I'm pretty sure that the same value is used everywhere...
cforce
commented
11 years ago ok, your are the expert, i only wanted you to know the stuff i stumpled own. It its nou useful, then just leave it.
see http://www.redmine.org/issues/3712#note-19
It is using the proper authentication (authn) and authorization (authz) handlers instead of access and authentication ones. They could theoretically work separately. The authentication phase only authenticates, e.g. checks login/password. It honors the 'login_required' settings. It returns "AUTH_REQUIRED" in case of password mismatch and "FORBIDDEN" for inactive accounts. The authorization phase checks if the authenticated user is allowed. It properly honor anonymous and non-member permissions on public projects. It returns "FORBIDDEN" if the user is not authorized, but for anonymous. In the latter case, it returns "AUTH_REQUIRED" to enforce login. The credential cache takes the required permission into account. With the shipped Redmine.pm, I think you can commit right after doing reading since the required permissions are not tested. I have added a RedmineCacheCredsMaxAge setting to define an expiration delay. The credential cache only works if you use both handlers. Credentials are recorded in the authz handler and they are tested in the authn handler during subsequent requests.