On 29 March 2011 08:00, Brian <[email protected]> wrote:
> I currently use mod_python to manage permissions for a svn repository. The
> key part of my apache2 config looks like this:
>
> PythonAccessHandler MyProject.svn_authz::access
> PythonAuthenHandler MyProject.auth::authenticate
> PythonAuthzHandler MyProject.svn_authz::authorize
>
> I have made attempts to replace this with mod_wsgi, like this:
>
> WSGIAccessScript /usr/local/myproject/auth.wsgi
> WSGIAuthUserScript /usr/local/myproject/auth.wsgi
>
> In general, this works. I can allow control to the repository by user or
> allow anonymous access, but unfortunately I want to be able to allow some
> parts of the repo to be public and grant permissions by path. Even though
> the access_log looks the same between mod_python and mod_wsgi, in mod_python
> the request object had access to path_info, which would contain the path to
> the file being accessed. With mod_wsgi I seem to only have access to the
> environment variables, with only REQUEST_METHOD and REQUEST_URI being
> potentially useful. Through inspection I see REQUEST_URI first contains the
> requested path, like when doing a checkout. Each subsequent request in the
> same checkout action only has /svn/!svn/vcc/default or similar URIs, which
> is what I see in the access_log both with mod_python and mod_wsgi. For some
> reason the path_info element in mod_python always had some flavor of the
> filename. Without being able to know the path in mod_wsgi, I'm not sure how
> I can use WSGIAccessScript and WSGIAuthUserScript to manage fine-grained
> permissions in svn.
PATH_INFO is derived from whatever is in REQUEST_URI. The only
additional thing with PATH_INFO is that it would have been normalised
for bit a subversion client it should be using well formed URI so what
you extract from REQUEST_URI should be fine, although might still be a
good idea to do some sanity checks on it. Either way, the information
to do it should be there.
Alternatively and depending on what operations you want to block then
you do it at Apache configuration level. For example the following
Apache configuration duplicates the listed thing from subversion
authnz file.
# [Project1:/]
# vishwajeet = rw
<Location /svn/Project1/!svn/*/*/*>
Require user vishwajeet
</Location>
# [Project2:/]
# vishwajeet = r
<Location /svn/Project2/!svn/*/*/*>
Require user vishwajeet
<LimitExcept OPTIONS GET PROPFIND REPORT COPY>
deny from all
</LimitExcept>
</Location>
You could also start to tie this in with WSGIAuthGroupScript and have
what groups users are in defined by Python code. For example with
Location with path have:
Require wsgi-group svn_read
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require wsgi-group svn_write
</LimitExcept>
Where for Django Python code behind might be:
def groups_for_user(environ, user):
db.reset_queries()
kwargs = {'username': req.user, 'is_active': True}
try:
try:
user = User.objects.get(**kwargs)
except User.DoesNotExist:
return None
return user.groups
finally:
db.connection.close()
BTW, just a warning. WSGIAuthUserScript/WSGIAuthGroupScript are called
on every request when HTTP Basic authentication is being used. In high
volume sites the overhead of this can be noticeable if you have to go
back to a database to authenticate/authorise every time. You might
want to look at some level of caching and credential expiration within
the process to avoid going to the database all the time.
That is probably all I can say at the moment without seeing the
specific values of REQUEST_METHOD and REQUEST_URI you are getting for
the request you think you are getting the wrong information for.
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
