summaryrefslogtreecommitdiff
path: root/Documentation/technical/api-sha1-array.txt
diff options
context:
space:
mode:
authorLibravatar Jeff King <peff@peff.net>2013-04-10 23:32:11 -0400
committerLibravatar Junio C Hamano <gitster@pobox.com>2013-04-11 07:33:07 -0700
commitfdae191003381b1e2026422ffbd580ba39f1ab91 (patch)
tree8e980690cba65b095b73f43dc0cea5bc7964401b /Documentation/technical/api-sha1-array.txt
parentGit 1.8.2.1 (diff)
downloadtgif-fdae191003381b1e2026422ffbd580ba39f1ab91.tar.xz
doc/http-backend: clarify "half-auth" repo configuration
When the http-backend is set up to allow anonymous read but authenticated write, the http-backend manual suggests catching only the "/git-receive-pack" POST of the packfile, not the initial "info/refs?service=git-receive-pack" GET in which we advertise refs. This does work and is secure, as we do not allow any write during the info/refs request, and the information in the ref advertisement is the same that you would get from a fetch. However, the configuration required by the server is slightly more complex. The default `http.receivepack` setting is to allow pushes if the webserver tells us that the user authenticated, and otherwise to return a 403 ("Forbidden"). That works fine if authentication is turned on completely; the initial request requires authentication, and http-backend realizes it is OK to do a push. But for this "half-auth" state, no authentication has occurred during the initial ref advertisement. The http-backend CGI therefore does not think that pushing should be enabled, and responds with a 403. The client cannot continue, even though the server would have allowed it to run if it had provided credentials. It would be much better if the server responded with a 401, asking for credentials during the initial contact. But git-http-backend does not know about the server's auth configuration (so a 401 would be confusing in the case of a true anonymous server). Unfortunately, configuring Apache to recognize the query string and apply the auth appropriately to receive-pack (but not upload-pack) initial requests is non-trivial. The site admin can work around this by just turning on http.receivepack explicitly in its repositories. Let's document this workaround. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/technical/api-sha1-array.txt')
0 files changed, 0 insertions, 0 deletions