wiki:PermRedirectPlugin

Redirect users to the login screen on PermissionError

Description

This plugin provides the following features related to Trac login:

  • When an anonymous user attempts to visit a page that the user does not have access to, the user will be sent to the login screen instead of seeing Trac's built-in "Permission Error: maybe you should log in" page.
  • The plugin can also be configured to ensure that all access to the login screen occurs over HTTPS.

These features are independent of one another: you can install the plugin to provide either feature, or both.

Bugs/Feature Requests

Existing bugs and feature requests for PermRedirectPlugin are here.

If you have any issues, create a new ticket.

defect

9 / 12

enhancement

3 / 3

task

3 / 3

Download

Download the zipped source from here. The eggs are available for installation as pypi:TracPermRedirect.

Source

You can check out PermRedirectPlugin from here using Subversion, or browse the source with Trac.

Installation

General instructions on installing Trac plugins can be found on the TracPlugins page.

To enable, add the following to your trac.ini file:

[components]
permredirect.* = enabled

This will enable the "redirect to login screen on permission error" feature. The "HTTPS only" feature will not be enabled.

Configuration

To additionally enable the "HTTPS only" feature, use the following in the trac.ini file:

[permredirect]
redirect_login_https = true

To enable the "HTTPS only" feature and disable the "redirect to login screen on permission error" feature, use the following in the trac.ini file:

[permredirect]
redirect_login = false
redirect_login_https = true

HTTPS Only

The plugin provides a feature to ensure that all requests to the login page occur over HTTPS, which can be enabled per the "usage" section above. This will intercept all requests to http://hostname.com/login and redirect them to https://hostname.com/login instead.

For this feature to work, you must configure your web server to accept HTTPS requests on port 443. This feature will only work if your web server is serving HTTP requests on port 80 and HTTPS requests on port 443; no other configurations are currently supported. Also, this feature should only be enabled if you are using AccountManager to handle login. If your site's login occurs in the web server, eg Apache authentication, then this feature will not be able to secure your login handler.

It is also possible to implement a similar feature without this plugin at all, using RewriteRules in your Apache configuration. This alternative approach must be used if you are handling login through the Apache web server. Your Apache configuration would include lines like:

# Redirect all login pages to https
RewriteCond %{HTTPS} off
RewriteRule ^/([^/]+)/login$ https://%{HTTP_HOST}:443/$1/login [L, NE]

Note the [NE] flag (no-escape), this is important! See "Frequently Asked Questions" below.

For more details, see the various example configurations posted in comments at #4733.

Frequently Asked Questions

Q: After logging in, Trac always loads the home page, instead of the page the user came from. On the login page, the ?referer query string is double-quoted (double-encoded), and looks like ?referer=http%253A%252F%252Fthe_host%252Fthe_project%252Ftimeline with the "%" in "%3A" re-quoted to create "%253A" instead of ?http%3A%2F%2Fthe_host%2Fthe_project%252Ftimeline. Why is this?

A: This is caused by a faulty Apache configuration. You are probably using a RewriteRule to redirect login over HTTPS. You must use the [NE] (no-escape) flag on your RewriteRule to prevent double-quoting. For more information, see http://trac-hacks.org/ticket/2210#comment:36

Recent Changes

12683 by ejucovy on 2013-03-05 01:21:58
tag 3.0
12682 by ejucovy on 2013-03-05 01:21:29
make tags dir
12681 by ejucovy on 2013-03-05 01:20:08
release paperwork
(more)

Author/Contributors

Author: coderanger
Maintainer: ejucovy
Contributors:

Last modified 11 months ago Last modified on Jan 17, 2016, 4:50:24 PM