Stefan Sperling <stsp@stsp.name> wrote:
> On Tue, Dec 09, 2025 at 01:27:39PM +0100, Stefan Sperling wrote:
> > Thinking about this some more, I think you are right that we should
> > allow authentication for websites to be configured by the user.
> > 
> > The website and authentication features are orthogonal, i.e. there are
> > no bad side effects from flipping them on/off independently.
> > 
> > When authentication settings are inherited from global or server scope,
> > not having them apply inside a website block might be surprising. When
> > authentication is enabled globally, we will probably be going to meet
> > user expectations better when they have to type 'disable authentication'
> > explicitly before a website is exposed.
> > 
> > And there will probably be use cases for having authentication enabled
> > for websites. E.g. blocking crawlers temporarily, reviewing websites
> > that are still in draft stage among a private group of people, and
> > restricting access to private information related to a project where
> > this information is displayed on a website for convenience.
> > 
> > There would be little maintenance effort for us to support this.
> > We could make website blocks embed 'enable authentication' and 'disable
> > authentication' statements much like repository config blocks do, using
> > the same inheritance semantics.
> 
> Diff for the above.
> 
> ok?

sorry for the delay; only lightly tested so far but ok op@

will continue testing the hell out of it before next release :)


Thanks!
Omar Polo