diff --git a/Assistant/WebApp/Types.hs b/Assistant/WebApp/Types.hs index ba24b7fd13..4dcaab93c9 100644 --- a/Assistant/WebApp/Types.hs +++ b/Assistant/WebApp/Types.hs @@ -48,17 +48,17 @@ data WebApp = WebApp } mkYesodData "WebApp" $(parseRoutesFile "Assistant/WebApp/routes") + +excludeStatic [] = True +excludeStatic (p:_) = p /= "static" instance Yesod WebApp where {- Require an auth token be set when accessing any (non-static) route -} - isAuthorized _ _ = checkAuthToken authToken + isAuthorized r _ = checkAuthToken authToken r excludeStatic {- Add the auth token to every url generated, except static subsite - urls (which can show up in Permission Denied pages). -} joinPath = insertAuthToken authToken excludeStatic - where - excludeStatic [] = True - excludeStatic (p:_) = p /= "static" makeSessionBackend = webAppSessionBackend jsLoader _ = BottomOfHeadBlocking diff --git a/CHANGELOG b/CHANGELOG index a6b734ae97..0981bc5eac 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,9 @@ git-annex (6.20161032) UNRELEASED; urgency=medium * reinject --known: Avoid second, unncessary checksum of file. * OSX: Remove RPATHs from git-annex binary, which are not needed, slow down startup, and break the OSX Sierra linker. + * webapp: Explicitly avoid checking for auth in static subsite + requests. Yesod didn't used to do auth checks for that, but this may + have changed. -- Joey Hess Tue, 01 Nov 2016 14:02:06 -0400 diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs index cff5b268ef..63ca335205 100644 --- a/Utility/WebApp.hs +++ b/Utility/WebApp.hs @@ -182,15 +182,20 @@ genAuthToken = do - - Note that the usual Yesod error page is bypassed on error, to avoid - possibly leaking the auth token in urls on that page! + - + - If the predicate does not match the route, the auth parameter is not + - needed. -} -checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult -checkAuthToken extractAuthToken = do - webapp <- Yesod.getYesod - req <- Yesod.getRequest - let params = Yesod.reqGetParams req - if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp) - then return Yesod.Authorized - else Yesod.sendResponseStatus unauthorized401 () +checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult +checkAuthToken extractAuthToken r predicate + | not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized + | otherwise = do + webapp <- Yesod.getYesod + req <- Yesod.getRequest + let params = Yesod.reqGetParams req + if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp) + then return Yesod.Authorized + else Yesod.sendResponseStatus unauthorized401 () {- A Yesod joinPath method, which adds an auth cgi parameter to every - url matching a predicate, containing a token extracted from the diff --git a/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment new file mode 100644 index 0000000000..eb630f3645 --- /dev/null +++ b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment @@ -0,0 +1,16 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 2""" + date="2016-11-10T17:30:57Z" + content=""" +I don't reproduce the problem here. From where did you install git-annex? + +This seems likely to have something to do with the version of yesod it was +built against. + +No session cookie is used; the auth token is not supposed to be needed when +accessing urls under `/static/`. Looking at the code, this was not done +explicitly; it seems to have relied on yesod not checking for authorization +for static site parts. I've committed a change, to explicitly skip auth for +`/static/` but without being able to reproduce the problem, can't test it. +"""]]