[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Apache not restricting write access or capturing author

From: John Niven <jniven_at_bravurasolutions.com>
Date: Thu, 21 Aug 2008 16:35:07 +1200

> -----Original Message-----
> From: Quinn Taylor [mailto:quinntaylor_at_mac.com]
> Sent: Thursday, 21 August 2008 16:25
> To: users_at_subversion.tigris.org
> Subject: Apache not restricting write access or capturing author
>
> I'm testing how to set up a repository for BYU CocoaHeads
> [http://cocoaheads.byu.edu ] for a group of coders who want
> to publicly share code. We want public (anonymous) read
> access, but wish to restrict write access to a pool of
> authorized users so the repository doesn't become polluted by
> members who don't know what they're doing, or worse, but
> malicious outsiders. Our site is run using Drupal 6, and I've
> been working on getting mod_auth_mysql to tie into the
> existing database, such that usernames and passwords
> synchronize automatically, since Drupal has a nice interface
> for creating/changing them. As far as I can tell, the setup
> is (mostly) correct, but I'm seeing odd problems.
>
> My test setup can be viewed in a browser or checked out from this URL:
>
> http://dysart.cs.byu.edu/chsvn/
>
> The repository is publicly viewable, but it seems that the
> restrictions I (think I) have described are not working
> correctly. I'm fairly certain that these problems are
> linked-namely, that the lack of restricting write access is
> allowing anonymous commits, so I get (no
> author) in my repository.
>

You could well be right. I'm not familiar with MySQL as an
authorisation backend, so I could be hugely wrong, but CollabNet's C
Michael Pilato (an SVN dev) posted a blog article about a similar
scenario: http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html

Hope it helps
John

> I've configured the module parameters according to how Drupal
> stores data. My httpd.conf file includes the following (with
> the appropriate database, username, and password):
>
> <Location /chsvn>
> DAV svn
> SVNIndexXSLT /svnindex.xsl
> SVNPath
> /Users/cocoaheads/Subversion/cocoaheads
> SVNReposName "CocoaHeads SVN Repository"
> AuthName "CocoaHeads SVN Repository"
> AuthType Basic
> Satisfy Any
>
> AuthMySQLEnable On
> AuthMySQLHost localhost
> AuthMySQLDB ***
> AuthMySQLUser ***
> AuthMySQLPassword ***
> AuthMySQLUserTable "users, users_roles"
> AuthMySQLNameField name
> AuthMySQLPasswordField pass
> AuthMySQLPwEncryption md5
>
> AuthBasicAuthoritative Off
> AuthMySQLAuthoritative On
>
> # Restrict write access only
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> AuthMySQLUserCondition "users.uid =
> users_roles.uid AND users_roles.rid IN (3,4)" # Site
> Managers and Administrators
> Require valid-user
> </LimitExcept>
> </Location>
>
>
> I'm not an Apache expert by any stretch of the imagination,
> and my understanding of how exactly Apache handles SVN actions (e.g.
> PROPFIND, CHECKOUT, MERGE, etc.) is very weak. Any help in
> getting this resolved would be much appreciated. I can
> provide Apache logs as requested. Specifically, where would I
> find information about authentication/authorization, what the
> difference is in terms of SVN activity, logs of such
> activity, etc. would be awesome. I realize it's a lot to ask,
> and I don't expect an essay in response-even links to help
> explain would be very useful.
>
> Thanks in advance,
> - Quinn

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-21 06:35:38 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.