Perform "push requires ssl" check before authentication

Issue #509 resolved
Former user created an issue

If administrator enables "push requires ssl" option, RhodeCode refuses push over http after asking authentication details. For more secure setup, it should refuse pushing over http before authentication.

Most practical use of "push requires ssl" option is securing the HTTP authentication with the help of SSL. If this is the case, then RhodeCode should not allow someone to sent username/password in clear-text form just to print "requires ssl".

Comments (3)

  1. Marcin Kuzminski repo owner
    • changed milestone to 1.4

    The issue is here this check is done by mercurial, and it's after basic auth. I totally agree this should be changed to verify ssl as initially first step.

  2. Marcin Kuzminski repo owner

    Now SSL check is done via middleware, and forbids request before basic auth is triggered

  3. Log in to comment