--- /opt/os/linux/src/subversion-1.5.5/subversion/mod_authz_svn/mod_authz_svn.c 2007-12-29 20:12:34.000000000 +0000 +++ mod_authz_svn.c 2009-01-10 13:08:45.484134687 +0000 @@ -44,6 +44,7 @@ int authoritative; int anonymous; int no_auth_when_anon_ok; + int authz_per_repos; const char *base_path; const char *access_file; } authz_svn_config_rec; @@ -60,10 +61,23 @@ /* By default keep the fortress secure */ conf->authoritative = 1; conf->anonymous = 1; + conf->authz_per_repos = 0; return conf; } +/* Defer any parsing of AuthzSVNAccessFile until we have the request */ +AP_DECLARE_NONSTD(const char *) set_authz_slot(cmd_parms *cmd, + void *struct_ptr, + const char *arg) +{ + int offset = (int)(long)cmd->info; + + *(const char **) ((char*)struct_ptr + offset) = arg; + + return NULL; +} + static const command_rec authz_svn_cmds[] = { AP_INIT_FLAG("AuthzSVNAuthoritative", ap_set_flag_slot, @@ -71,10 +85,15 @@ OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to " "lower modules. (default is On.)"), - AP_INIT_TAKE1("AuthzSVNAccessFile", ap_set_file_slot, + AP_INIT_TAKE1("AuthzSVNAccessFile", set_authz_slot, (void *)APR_OFFSETOF(authz_svn_config_rec, access_file), OR_AUTHCFG, "Text file containing permissions of repository paths."), + AP_INIT_FLAG("AuthzSVNAccessFilePerRepository", ap_set_flag_slot, + (void *)APR_OFFSETOF(authz_svn_config_rec, authz_per_repos), + OR_AUTHCFG, + "Set to 'On' to make AuthzSVNAccessFile relative to " + "each repository directory. (default is Off.)"), AP_INIT_FLAG("AuthzSVNAnonymous", ap_set_flag_slot, (void *)APR_OFFSETOF(authz_svn_config_rec, anonymous), OR_AUTHCFG, @@ -94,23 +113,61 @@ }; /* + * Get the full path for the authorization file. + */ +static const char *get_access_file(request_rec *r, + authz_svn_config_rec *conf) +{ + const char *access_file = conf->access_file; + const char *repos_fs_path; + dav_error *dav_err; + + /* See if we are using a separate authorization file per repository */ + if (conf->authz_per_repos) { + + /* Get the repository filesystem path */ + dav_err = dav_svn_get_repos_path(r, conf->base_path, &repos_fs_path); + if (dav_err) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s [%d, #%d]", + dav_err->desc, dav_err->status, dav_err->error_id); + return NULL; + } + + // Append AuthzSVNAccessFile to the repository filesystem path + while (*access_file == '/') ++access_file; + access_file = svn_path_join(repos_fs_path, access_file, r->pool); + } + + // Finally do the deferred tidying up of the authorization file path + access_file = ap_server_root_relative(r->pool, access_file); + + return access_file; +} + +/* * Get the, possibly cached, svn_authz_t for this request. */ static svn_authz_t *get_access_conf(request_rec *r, authz_svn_config_rec *conf) { + const char *access_file; const char *cache_key = NULL; void *user_data = NULL; svn_authz_t *access_conf = NULL; svn_error_t *svn_err; char errbuf[256]; + /* Get the full path for the authorization file */ + access_file = get_access_file(r, conf); + if (access_file == NULL) return NULL; + cache_key = apr_pstrcat(r->pool, "mod_authz_svn:", - conf->access_file, NULL); + access_file, NULL); apr_pool_userdata_get(&user_data, cache_key, r->connection->pool); access_conf = user_data; if (access_conf == NULL) { - svn_err = svn_repos_authz_read(&access_conf, conf->access_file, + svn_err = svn_repos_authz_read(&access_conf, access_file, TRUE, r->connection->pool); if (svn_err) { ap_log_rerror(APLOG_MARK, APLOG_ERR,