On Tue, Oct 22, 2002 at 05:44:36PM +0200, Wolf Josef wrote:
>...
> >> and put the following into /local/svn/repos/project/.htaccess :
> >
> > AFAIK, the URLs handled by mod_dav_svn are not mapped to
> > physical filesystem locations
> > under /local/svn/repos, so apache won't look there for an .htaccess.
That is correct, and by design. We did not want to rely on Apache's mapping
of URL to filesystem locations to determine where the underlying repository
is located. If an admin was not careful, they could end up exposing the raw
bits of their repository. A person could just grab .../repos/db/strings and
circumvent all kinds of stuff.
>...
> > (Moreover I have the impression that you're mixing two
> > repository in the same filesystem tree here)
>
> I am trying to hack an cgi-based repository administration tool, so
> people can create and manage their repos without logging in onto
> the server. This cgi creates all the files which are needed to
> control access to the existing repositories. I don't want to put this
> information directly into httpd.conf for two reasons: first, it would
> require to restart httpd from withhin the cgi. Second, I dont want to make
> httpd.conf writable by the httpd process.
You had the following fragment:
<Location /svn/repos>
DAV svn
SVNParentPath /local/svn/repos
You might be able to do something like this:
Alias /svn/repos /local/svn/docroot
<Location /svn/repos>
DAV svn
SVNParentPath /local/svn/repos
That keeps the repositories "out" of the doc root, yet it also gives Apache
a way to find a .htaccess file in the filesystem. That is, you could put the
.htaccess at /local/svn/docroot/.htaccess. If that doesn't work, then try
aliasing /svn to a filesystem location and putting the content in there.
Inside of the .htaccess, you might be able to use the Include directive to
include everything in a subdirectory. Within that subdir, you can have
configuration fragments for each of the projects.
While this should work, it is *not* going to be fast. Not by a long shot.
Recall that Apache is going to load that .htaccess for *EVERY* access. A
checkout of 1000 files is going to read that .htaccess file for each file
and dir.
> > If you want to control access based on different subprojects
> > in your repository, you need to use a hook script.
That won't cause HTTP authentication to kick in, though. And that means that
you won't get real usernames in your repository either.
>...
> This is exactly what I am trying to do... The cgi would create and
> manage the AuthGroupFile for the repos in question. And I would like
> to enable/disable browsing of the whole repos (not specific paths
> withhin the repos) based on that information. Is there really no way
> to do such a thing?
Something similar to above might work. But I don't see it being all that
fast. If you have 1000 projects, then that .htaccess will get really big
(via the loading the 1000 sub-files for inclusion into .htaccess).
I really think that you'd want to write a new kind of authentication and
authorization module. They aren't all that difficult, but it would be in C.
I believe that mod_perl and mod_python can allow you to write auth modules,
so that might be another avenue.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 23 02:50:23 2002