[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Specify the user when a command is run?

From: Greg Stein <gstein_at_lyra.org>
Date: 2002-10-23 02:50:08 CEST

On Tue, Oct 22, 2002 at 05:44:36PM +0200, Wolf Josef wrote:
>...
> >> and put the following into /local/svn/repos/project/.htaccess :
> >
> > AFAIK, the URLs handled by mod_dav_svn are not mapped to
> > physical filesystem locations
> > under /local/svn/repos, so apache won't look there for an .htaccess.

That is correct, and by design. We did not want to rely on Apache's mapping
of URL to filesystem locations to determine where the underlying repository
is located. If an admin was not careful, they could end up exposing the raw
bits of their repository. A person could just grab .../repos/db/strings and
circumvent all kinds of stuff.

>...
> > (Moreover I have the impression that you're mixing two
> > repository in the same filesystem tree here)
>
> I am trying to hack an cgi-based repository administration tool, so
> people can create and manage their repos without logging in onto
> the server. This cgi creates all the files which are needed to
> control access to the existing repositories. I don't want to put this
> information directly into httpd.conf for two reasons: first, it would
> require to restart httpd from withhin the cgi. Second, I dont want to make
> httpd.conf writable by the httpd process.

You had the following fragment:

 <Location /svn/repos>
    DAV svn
    SVNParentPath /local/svn/repos

You might be able to do something like this:

 Alias /svn/repos /local/svn/docroot
 <Location /svn/repos>
    DAV svn
    SVNParentPath /local/svn/repos

That keeps the repositories "out" of the doc root, yet it also gives Apache
a way to find a .htaccess file in the filesystem. That is, you could put the
.htaccess at /local/svn/docroot/.htaccess. If that doesn't work, then try
aliasing /svn to a filesystem location and putting the content in there.

Inside of the .htaccess, you might be able to use the Include directive to
include everything in a subdirectory. Within that subdir, you can have
configuration fragments for each of the projects.

While this should work, it is *not* going to be fast. Not by a long shot.
Recall that Apache is going to load that .htaccess for *EVERY* access. A
checkout of 1000 files is going to read that .htaccess file for each file
and dir.

> > If you want to control access based on different subprojects
> > in your repository, you need to use a hook script.

That won't cause HTTP authentication to kick in, though. And that means that
you won't get real usernames in your repository either.

>...
> This is exactly what I am trying to do... The cgi would create and
> manage the AuthGroupFile for the repos in question. And I would like
> to enable/disable browsing of the whole repos (not specific paths
> withhin the repos) based on that information. Is there really no way
> to do such a thing?

Something similar to above might work. But I don't see it being all that
fast. If you have 1000 projects, then that .htaccess will get really big
(via the loading the 1000 sub-files for inclusion into .htaccess).

I really think that you'd want to write a new kind of authentication and
authorization module. They aren't all that difficult, but it would be in C.
I believe that mod_perl and mod_python can allow you to write auth modules,
so that might be another avenue.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 23 02:50:23 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.