Currently the http library only checks credentials when authentication
is required. This means that any credentials are accepted on the root
resource, for example, which makes problems hard to diagnose - the
user/pw works for all queries, until one tries to do a modification at
which point fails.
This patch changes the PreHandleRequest() function to not ignore
credentials when passed, even if we don't require authentication. This
makes the behavior of RAPI more predictable.
Signed-off-by: Iustin Pop <iustin@google.com>
Reviewed-by: Guido Trotter <ultrotter@google.com>
"""
realm = self.GetAuthRealm(req)
- # Authentication required?
- if realm is None:
+ # Authentication not required, and no credentials given?
+ if realm is None and http.HTTP_AUTHORIZATION not in req.request_headers:
return
+ if realm is None: # in case we don't require auth but someone
+ # passed the crendentials anyway
+ realm = "Unspecified"
+
# Check "Authorization" header
if self._CheckAuthorization(req):
# User successfully authenticated