The restws_basic_auth_user_regex variable has the following documentation.
Per default only user names starting with "restws" will be tried to log in. This
can be configured with the "restws_basic_auth_user_regex" variable, which allows
you to define an arbitrary pattern that the user names must match. This avoids
unecessary login attempts for standard human users on protected sites.You can configure the regex (suitable for preg_match()) in your settings.php,
e.g.:$conf['restws_basic_auth_user_regex'] = '/^web_service.*/';
and in code comment:
// Login only user names that match a pattern.
Can you clarify why someone wouldn't want to set it to just
$conf['restws_basic_auth_user_regex'] = '/.*/';
Comment | File | Size | Author |
---|---|---|---|
#8 | restws-docs_and_more_lenient_by_default-1946108-8.patch | 2.09 KB | pachabhaiya |
#3 | 1946108_docs_and_more_lenient_by_default.patch | 1.46 KB | greggles |
Comments
Comment #1
emmonsaz CreditAttribution: emmonsaz commentedI agree. I don't even see why this check is needed. I vote for removing the regex check altogether -- it only causes new user confusion and is difficult to troubleshoot.
Comment #2
klausiThe purpose of this variable comes from development sites that are protected with HTTP basic auth in general. So you always need to send HTTP auth user name and password along when visiting the site with your browser and at the same time restws will always try to log you in with that same credentials. That is annoying and can have unwanted side effects when trying to login via a form for example.
For my use cases we always had a limited set of special users that performed the API requests so it was easy to restrict them with this regular expression. It allowed us to still use HTTP basic auth protected dev sites while restws_basic_auth is enabled.
So I don't really want to remove that regex check, but perhaps we could make it more friendly for starters? Take the all-in regex proposed by greggles as default value? Or even better: check if the variable actually exists before regex-ing at all.
Patches welcome!
Comment #3
gregglesAh, that makes sense.
Attached is a patch to document this. I think my statements are accurate, concise, and sufficiently explanatory. I also defaulted it to all users (at least I think I did - didn't test the regex).
Comment #4
emmonsaz CreditAttribution: emmonsaz commented@klausi, thanks for the explanation - the use case for the regex check now makes sense and I think the @greggles patch is a good compromise
Comment #5
klausithat contradicts the existing paragraph above, we should adapt/rewrite that.
Comment #8
pachabhaiya CreditAttribution: pachabhaiya as a volunteer and at Drupal Nepal commentedI've made some changes in the docs and updated the greggles's patch so that it applies cleanly in latest 7.x-2.x-dev version.