From alifshit at redhat.com Sat Feb  9 17:26:02 2019
Content-Type: multipart/mixed; boundary="===============4261480812323052319=="
MIME-Version: 1.0
From: Artom Lifshitz <alifshit at redhat.com>
To: users at lists.rdoproject.org
Subject: [rdo-users] Gerrit HTTP password 403
Date: Sat, 09 Feb 2019 12:25:48 -0500
Message-ID: <CACqyMicy=xM8dnp4AE_gu4+-2+jPzb7b3ikEqyN3NkONg4Hj3w@mail.gmail.com>

--===============4261480812323052319==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hey all,

There's a Gerrit app for Android that I'm trying, and it doesn't
support OAuth authentication [1]. To add RDO's Gerrit to it, I need to
generate an HTTP password (Profile picture in near the top right ->
Settings -> HTTP Password -> Generate). This worked fine on
OpenStack's Gerrit, but in RDO Gerrit it does nothing. Using Firefox's
dev tools, I was able to observe that the request [2] gets a 403 back.
I've added the full request/response exchange at the end of this
email, but I just want to know if this is intentionally disabled, or
did I just stumble upon a previously-unknown problem?

Cheers!

[1] https://github.com/jruesga/rview/issues/62
[2] https://review.rdoproject.org/r/Documentation/rest-api-accounts.html#se=
t-http-password

My browser's request:

PUT https://review.rdoproject.org/r/accounts/self/password.http HTTP/1.1

Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en-US;q=3D0.7,en;q=3D0.3
Connection: keep-alive
Content-Length: 17
Content-Type: application/json; charset=3Dutf-8
Cookie: GerritAccount=3D<snip>
Host: review.rdoproject.org
Referer: https://review.rdoproject.org/r/
User-Agent: Mozilla/5.0 (X11; Fedora; Linu=E2=80=A6) Gecko/20100101 Firefox=
/64.0
X-Gerrit-Auth: <snip>

The response it got:

Connection: Keep-Alive
Content-Length: 231
Content-Type: text/html; charset=3Diso-8859-1
Date: Sat, 09 Feb 2019 17:16:51 GMT
Keep-Alive: timeout=3D5, max=3D100
Server: Apache/2.4.6 (CentOS) OpenSSL/=E2=80=A6.10 mod_wsgi/3.4 Python/2.7.5

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /r/accounts/self/password.http
on this server.</p>
</body></html>

--===============4261480812323052319==--