← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #27443

[Bug 1470064] Re: webservices complain about no HTTPS even for simple user authentication

  Thread PreviousDate PreviousThread Next 
Hi Howard,

Thanks for the bug report!

The behavior you describe is indeed a bit backwards. From a security
standpoint, I think it would make more sense if we required HTTPS for
username/password and made it optional for token-based. Although I
suppose if your site is HTTP-only, then your usernames & passwords are
already going over plaintext when your users come to the site, so it
shouldn't matter if they're also doing that when using webservices.

** Also affects: mahara/15.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Changed in: mahara/15.04
    Milestone: None => 15.04.2

** Changed in: mahara/15.10
    Milestone: None => 15.10.0

** Changed in: mahara/15.04
       Status: New => Triaged

** Changed in: mahara/15.10
       Status: New => Triaged

** Changed in: mahara/15.04
   Importance: Undecided => Medium

** Changed in: mahara/15.10
   Importance: Undecided => Medium

** Tags added: webservices

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470064

Title:
  webservices complain about no HTTPS even for simple user
  authentication

Status in Mahara ePortfolio:
  Triaged
Status in Mahara 15.04 series:
  Triaged
Status in Mahara 15.10 series:
  Triaged

Bug description:
  Mahara 15.04

  To reproduce...

  - use a site with HTTP (not HTTPS)
  - Create a web service user 
  - configure the user through 'Manage service users' to access any suitable method (e.g. get institution users)
  - use the web services test client with any protocol you like and execute the selected method
  - An error is thrown...

  "exception: Forbidden - HTTPS must be used"

  The documentation (such as it is) indicates that HTTPS is only
  required for token based authentication, not simple username/password

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470064/+subscriptions

References

  Thread PreviousDate PreviousThread Next