Simon,
Guest via RT wrote:
Show quoted text> I don't think this is a bug, because you don't claim to honour ACLs but
> perhaps it could be filed as a feature request.
>
> I have an ACL set up on our repos that allows some people read access to
> only certain projects with the repository. Using SVN::Web however, they
> have access to all of the projects.
>
> It would be an excellent addition if the ACLs could be checked and
> prevent access to projects, branches etc if the user doesn't have rights.
>
> We use basic auth (over SSL) to restrict access to the repository so
> this could be picked up from the environment.
>
> I've got too many projects on already but if you can tell me where to
> start poking I might be able to contribute.
I *suspect* this is something that you can configure in Apache. At this
point I should confess that I know very little about how you'd configure
Apache to do this -- what follows is based on reading the documentation,
I've not tested any of it.
As described in the SVN::Web documentation, an SVN::Web URL looks like this:
.../<repo>/<action>/<path>?<arguments>
Since the <path> is normally present, you can use this to authenticate the user.
Say your repo has two top level directories, /group1, and /group2, with
projects underneath:
/group1/project1
/group1/project2
/group2/project1
/group2/project2
and you don't want people in group1 to be able to see the projects under
/group2, and vice-versa.
In theory (as I say, this is untested) you should be able to do this.
First, configure SVN::Web as normal, and make sure it works. Suppose you're
single repo is called 'repo', so the URLs look like this:
.../repo/browse/group1/project1
.../repo/browse/group1/project2
.../repo/browse/group2/project1
.../repo/browse/group2/project2
(if you're browsing -- 'browse' may also be 'view', 'log', 'checkout', and
so on).
Add the necessary directives to your apache configuration to enforce
authentication.
<LocationMatch ".../repo/.*/group1/.*">
AuthType Basic
AuthName "Group 1 projects"
AuthUserFile /path/to/your/password/file
Require valid-user
</LocationMatch>
Where "..." is the beginning of the URL to your SVN::Web installation.
You'd have a similar LocationMatch directive that would match group2's projects.
You should be able to use the same AuthName and AuthUserFile that you're
using to do your existing user authentication, so users should find that the
same user names and passwords work from the commandline and when using the
web interface.
Obviously you can have as many LocationMatch directives as you want, to make
the control as finegrained as necessary.
I couldn't find information about Apache's regex format in the documentation
I have, so that LocationMatch example might not be quite right. Hopefully
it gives you an idea of how to proceed though.
There's one fly in this ointment -- the 'revision' action doesn't act on a
repository path, it acts on a repository revision number. Because of this,
you can't use the path to authenticate the user. Since a particular
revision could in theory affect paths under both /group1 and /group2 there's
no easy way around this, short of disabling the 'revision' action entirely
(which you can do -- it's a simple edit to config.yaml). This does lose
some valuable functionality from SVN::Web though.
An approach which would solve this is to give each group their own
Subversion repository. SVN::Web can display both those repos, and you can
use the <repo> part of the URL in the LocationMatch statement instead of the
<path>. Since each repo is completely separate, the 'revision' action issue
doesn't come up.
I hope that helps -- as I say, I don't have much experience with configuring
Apache to carry out authentication, so take the above with a grain of salt.
If you do get this working I'd be grateful if you could write up the
process so that I can include it in the documentation for future versions of
SVN::Web.
N